Oracle Java Security Challenges - What you need to know

Oracle Java Security Challenges

What You Need to Know

Oracle Java Security Challenges - What You Need to Know

Oracle has changed the Java support policy which states that any Oracle / Sun Microsystem Java Standard Edition (SE) – including JRE, JDK etc. on Long Term Support (LTS) release or non-LTS would need a paid license/ support or subscription from Oracle for Oracle Java SE Advance/ Desktop in order to receive commercial patches including security support, starting back on April 16, 2019.  The majority of Java customers worldwide use Oracle Java version 6, 7, 8 (LTS) and 11 (LTS). This is applicable for all customers be it an Oracle or non- Oracle shop. This change significantly impacts all organizations with unplanned budgets.

In fact Oracle has replaced the Binary Code License (BCL) agreement with its standard Oracle Technology Network with Audit clause (OTN) agreement with all Java releases on Oracle Java SE starting with version 11 onwards. We provide you the details below: 

Which Version Security Update / Patch Update Requires a Paid Subscription?

Due to Oracle’s support policy changes for Java, customers can’t receive free security updates starting April 16, 2019.  Hence most recent security patch updates require commercial subscription under standard Oracle license policy condition:

Kit Update Released
Java™ SE Development Kit 8, Update 211/ 212 April 16, 2019
Java™ SE Development Kit 8 Update 221 (JDK 8u221) July 16, 2019
Java™ SE Development Kit 7 Update 221/222 April 16, 2019
Java™ SE Development Kit 7 Update 231 July 16, 2019
Java™ SE Development Kit 11.0.3 under OTN so requires subscription even with installation of version 11
Java™ SE Development Kit 11.0.4 under OTN so requires subscription even with installation of version 11

These Security Patches Have Fixes for Following Vulnerabilities:

1. Vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified component, e.g., through a web service which supplies data to the APIs

2. Vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers that load and run only trusted code (e.g., code installed by an administrator)

3. Vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

The next security patch release on Java is expected on October 15, 2019 available under commercial subscription.

What is Your Java OPEX Impact?

A typical small environment of less than 1,000 desktops and servers with 1,300 cores can have an OPEX outlay as below:

Oracle Java Security Challenges - What you need to know

While a large state environment can have a substantial OPEX impact:

Oracle Java Security Challenges - What you need to know

SoftwareONE Advisory Approach to Address this Challenge

  • Technical assessment to be performed on client machines, servers (Physical/ Virtual), Cloud instances for JRE/JDK installations.

  • Optimization to be performed for bundling Java usage with products from vendors providing Java support- Oracle, IBM, Red Hat, SAP, AWS etc.

  • Assessment of AdoptOpenJDK and OpenJDK based on Java application rationalization.

  • Finally subscribing to commercial Java support from Oracle and/ or Azul systems and /or IBM/Red Hat.

Oracle Java Security Challenges - What you need to know

Looking for More?

SoftwareONE Oracle and Java global advisory team has years of  consulting experience on technology, compliance and commercial. Please reach out to us for the latest in Oracle Java advisory guidance.

Meet the Oracle support team

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Abhiskek Gupta

Abhishek Gupta

Global Oracle / Java Practice Leader

Publisher Advisory | Oracle Global

Related Articles

security-is-not-privacy-ways-to-keep-personal-data-secure
  • 14 October 2020
  • Bala Sethunathan
  • Managed Security, Cybersecurity

Security is Not Privacy: Ways to Keep Personal Data Secure

Organizations must know the difference between data security and privacy, the ways your data could be compromised, and how to keep it secure.

Improve Network Security with VMware NSX

Network Virtualization with VMware NSX

VMware NSX enables firewalls to be implemented even for the smallest segments - and thus considerably increases IT security.

IT Insights in September 2020

IT Insights in September

What has been going on in the world of IT lately? Find out by reading our monthly summary of the most important vendor and tech news.