Oracle Java Security Challenges - What you need to know

Oracle Java Security Challenges

What You Need to Know

Oracle Java Security Challenges - What You Need to Know

As of April 16, 2019, Oracle changed its Java support policy so that any Oracle/Sun Microsystem Java Standard Edition (SE) – including JRE, JDK etc. on Long Term Support (LTS) release or non-LTS requires a paid license/support or subscription from Oracle for Oracle Java SE Advance/Desktop in order to receive commercial patches including security support. The majority of Java customers worldwide use Oracle Java versions 6, 7, 8 (LTS) and 11 (LTS) so this change is applicable for all customers, whether they are Oracle or non-Oracle shops, and significantly impacts all organizations with unplanned budgets.

Additionally, Oracle has replaced the Binary Code License (BCL) agreement with its standard Oracle Technology Network with Audit clause (OTN) agreement for all Java releases on Oracle Java SE, starting with version 11 onward. We provide you the details below:

Which Version Security Update / Patch Update Requires a Paid Subscription?

Due to Oracle’s support policy changes for Java, customers can’t receive free security updates for Java 8 as of April 16, 2019.  Here an overview of Java patchsets and versions that require a commercial subscription to be able to obtain security patches and updates:

  • Java 6: patchset 45
  • Java 7: patchset 80
  • Java 8: patchset 202
  • Java version underlying OTN Agreement
  • Java 11, 12, 13, 14
  • Commercial features in usage

These Security Patches Have Fixes for Following Vulnerability Issues in General:

  1. Successful attacks on Java vulnerabilities can result in unauthorized updates, inserts or deleted access to some of Java SE, Java SE Embedded accessible data, as well as unauthorized read-access to a subset of Java SE, Java SE Embedded accessible data.
  2. Security issue allowing remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
  3. Vulnerability allowing unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded.
  4. And many more…

The National Vulnerability Database is a comprehensive source of security vulnerability and patches. A quick check on various Java version 8 patches for security impact is as below:

Version No. of Vulnerabilities Max vulnerability CVSS V2 Base Max vulnerability CVSS V2 Impact Max vulnerability CVSS V2 Exploit Average vulnerability CVSS V2 Base Average vulnerability CVSS V2 Impact Average vulnerability CVSS V2 Exploit Max vulnerability CVSS V3 Base
8 3 9.3 8.6 10.0 6.0 8.6 5.3 0.0
8U201 2 5.0 10.0 2.9 4.7 9.3 2.9 7.5
8U202 5 6.8 10.0 6.4 5.9 8.9 5.0 9.0
8U2111 5 5.8 10.0 4.9 4.2 7.7 3.3 5.3
8U212 7 5.8 10.0 4.9 3.9 7.2 3.2 5.3
8U221 32 5.8 8.6 4.9 4.2 8.0 3.2 6.8
8U231 14 6.8 8.6 6.4 4.9 8.6 3.7 8.1
8U241 20 5.8 10.0 6.4 4.8 8.1 3.8 8.1
8U251 9 5.8 4.9 4.9 4.7 3.9 7.9 4.8

What is Your Java OPEX Impact?

A typical small environment of less than 1,000 desktops and servers with 1,300 cores can have an OPEX outlay as below:

Oracle Java Security Challenges - What you need to know

While a large state environment can have a substantial OPEX impact:

Oracle Java Security Challenges - What you need to know

SoftwareONE Advisory Approach to Address this Challenge

  • Technical assessment to be performed on client machines, servers (Physical/ Virtual), Cloud instances for JRE/JDK installations.
  • Optimization to be performed for bundled Java usage with products from vendors providing Java support - Oracle, IBM, Red Hat, SAP, AWS etc.
  • Assessment of OpenJDK based on Java-based application rationalization.
  • Outcome-based Java subscriptions from vendors like Oracle, Azul systems, IBM/RedHat.

Looking for More?

SoftwareONE’s Oracle and Java global advisory team has years of consulting experience around technology, compliance and commercial advisory. Please reach out to us for the latest in Oracle Java guidance.

Meet the Oracle support team

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Abhiskek Gupta

Abhishek Gupta

Global Oracle / Java Practice Leader

Publisher Advisory | Oracle Global

Related Articles

Reserved Instances vs AWS Savings Plans

Did you ever wonder about the differences between Reserved Instances and AWS Saving Plans? We show you what sets each apart and why you should choose wisely.

ringing Your Nonprofit Up-to-Date

Bringing Your Nonprofit Up-to-Date with Digital Transformation

To stay competitive, nonprofits can’t stay trapped in a cycle of outdated processes. Learn why you need a digital transformation initiative.

IT Insights in March 2021 | SoftwareONE Blog

IT Insights in March

The tech world is such a rapidly developing field that it may sometimes be hard to stay up to date. With our monthly IT insights, you won’t lose the overview. Read about the latest vendor news and trending topics.