Oracle Java Security Challenges - What you need to know

Oracle Java Security Challenges

What You Need to Know

Oracle Java Security Challenges - What You Need to Know

As of April 16, 2019, Oracle changed its Java support policy so that any Oracle/Sun Microsystem Java Standard Edition (SE) – including JRE, JDK etc. on Long Term Support (LTS) release or non-LTS requires a paid license/support or subscription from Oracle for Oracle Java SE Advance/Desktop in order to receive commercial patches including security support. The majority of Java customers worldwide use Oracle Java versions 6, 7, 8 (LTS) and 11 (LTS) so this change is applicable for all customers, whether they are Oracle or non-Oracle shops, and significantly impacts all organizations with unplanned budgets.

Additionally, Oracle has replaced the Binary Code License (BCL) agreement with its standard Oracle Technology Network with Audit clause (OTN) agreement for all Java releases on Oracle Java SE, starting with version 11 onward. We provide you the details below:

Which Version Security Update / Patch Update Requires a Paid Subscription?

Due to Oracle’s support policy changes for Java, customers can’t receive free security updates for Java 8 as of April 16, 2019.  Here an overview of Java patchsets and versions that require a commercial subscription to be able to obtain security patches and updates:

  • Java 6: patchset 45
  • Java 7: patchset 80
  • Java 8: patchset 202
  • Java version underlying OTN Agreement
  • Java 11, 12, 13, 14
  • Commercial features in usage

These Security Patches Have Fixes for Following Vulnerability Issues in General:

  1. Successful attacks on Java vulnerabilities can result in unauthorized updates, inserts or deleted access to some of Java SE, Java SE Embedded accessible data, as well as unauthorized read-access to a subset of Java SE, Java SE Embedded accessible data.
  2. Security issue allowing remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
  3. Vulnerability allowing unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded.
  4. And many more…

The National Vulnerability Database is a comprehensive source of security vulnerability and patches. A quick check on various Java version 8 patches for security impact is as below:

Version No. of Vulnerabilities Max vulnerability CVSS V2 Base Max vulnerability CVSS V2 Impact Max vulnerability CVSS V2 Exploit Average vulnerability CVSS V2 Base Average vulnerability CVSS V2 Impact Average vulnerability CVSS V2 Exploit Max vulnerability CVSS V3 Base
8 3 9.3 8.6 10.0 6.0 8.6 5.3 0.0
8U201 2 5.0 10.0 2.9 4.7 9.3 2.9 7.5
8U202 5 6.8 10.0 6.4 5.9 8.9 5.0 9.0
8U2111 5 5.8 10.0 4.9 4.2 7.7 3.3 5.3
8U212 7 5.8 10.0 4.9 3.9 7.2 3.2 5.3
8U221 32 5.8 8.6 4.9 4.2 8.0 3.2 6.8
8U231 14 6.8 8.6 6.4 4.9 8.6 3.7 8.1
8U241 20 5.8 10.0 6.4 4.8 8.1 3.8 8.1
8U251 9 5.8 4.9 4.9 4.7 3.9 7.9 4.8

What is Your Java OPEX Impact?

A typical small environment of less than 1,000 desktops and servers with 1,300 cores can have an OPEX outlay as below:

Oracle Java Security Challenges - What you need to know

While a large state environment can have a substantial OPEX impact:

Oracle Java Security Challenges - What you need to know

SoftwareONE Advisory Approach to Address this Challenge

  • Technical assessment to be performed on client machines, servers (Physical/ Virtual), Cloud instances for JRE/JDK installations.
  • Optimization to be performed for bundled Java usage with products from vendors providing Java support - Oracle, IBM, Red Hat, SAP, AWS etc.
  • Assessment of OpenJDK based on Java-based application rationalization.
  • Outcome-based Java subscriptions from vendors like Oracle, Azul systems, IBM/RedHat.

Looking for More?

SoftwareONE’s Oracle and Java global advisory team has years of consulting experience around technology, compliance and commercial advisory. Please reach out to us for the latest in Oracle Java guidance.

Meet the Oracle support team

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Abhiskek Gupta

Abhishek Gupta

Global Oracle / Java Practice Leader

Publisher Advisory | Oracle Global

Related Articles

Office 365 AI & You - Teams Customized Background
  • 16 July 2020
  • Erik Moll
  • User Productivity, Publisher Advisory
  • AI, Microsoft, Artificial Intelligence, Teams

Microsoft 365 AI & You - Teams Customized Background

An update to Microsoft Teams AI is making your videoconferencing more professional. It ensures that you remain the center of attention – and not the cluttered background.


Windows 7 Extended Support: Now Is the Time to Take Action!

Microsoft ended support for Windows 7. Find out which far-reaching impact this will have on your environment.

IBM Advisory

IBM Ends Sub-Capacity Licensing and ILMT Support for Windows Server 2008

IBM announced they would no longer support sub-capacity licensing or ILMT for Windows Server 2008. Find out what this means for your organization.