Times are changing for Java SE (the collective name for JDK, JRE, Java SDK), but what will actually change and what will be the consequences? In this blog, Softline Solutions sheds light on this topic.
Change in release cadence
Java is managed by the Java Community Process (JCP), which contains about 25 representatives from large companies such as RedHat, SAP, IBM, but also Alibaba, Credit Suisse and of course Oracle. This same JCP decided that a six-month release should be the standard, instead of a release every three years. The new release cadence contains every new public version with updates, security patches and bug fixes.
All interim fixes are available behind a closed Java SE Portal, as was previously the case, and require a commercial license.
The commercial license for Java SE will be available in a Subscription model and contains both the license and the support fee. Without a commercial license the customer has to rely on one of the publicly available versions which will not contain all the latest updates, security patches and bug fixes.
Oracle has determined that for the 6-month cadence it is not feasible to arrange multi-year support and now offers a release every three years containing a Long Time Support version (LTS), which guarantees 8 years of (paid) support on that specific version.
- Oracle Java SE 8 and 11 have been classified as LTS releases, which guarantees 8 years of (paid) support on that specific version;
- Oracle Java SE 9 and 10 will be short lived feature releases with free updates made available by Oracle for only 6 months;
- For Oracle Java SE 8 public updates will cease January 2019;
- It is still possible to update Java software every 6 months. It does make sense to track all the available releases for being able to anticipate on the contents of the next LTS release and determine the impact and upgrade path.
Security Compliance Risks
The main risks Softline Solutions has identified are:
- When sticking to the public versions of Oracle Java SE, the latest updates, security patches and bug fixes will not be available;
- At version-patch level, older versions of Oracle Java software are already scoring high on the CVSS rating (Common Vulnerability Scoring System), which means possible risks have been identified on Security Policies in cases where Java components have not been upgraded to the most recent and licensable version.
These security risks may cause further privacy risks and have related financial consequences regarding AVG or GDPR regulations.
License Compliance Risks
Aside from the identified possible security compliance risks, there might be a licensing impact as well. The facts are as portrayed below:
- Java SE installed and/or running: As before, licenses are needed, so no change;
- For developing Oracle applications: No extra licenses needed, no change;
- Restricted Usage Rights: No changes, no consequences;
- Embedded for Oracle applications: No changes, no consequences;
- Embedded for Non-Oracle applications: As of now, licenses might be needed, changed.
Softline Solutions recommends organisations to execute a detailed impact analysis in order to determine which Java software versions and editions are installed on the infrastructure of the organisation. This will enable an organisation to make reasoned decisions and choices regarding the implications of the changes on Java SE.
Available ITAM Tooling can provide insight on all installed ‘Java-related’ software components, however these tools are not able to determine the exact license requirements for Java SE.
It is important to keep in mind that some Java software components belong to other products and are delivered as part of a bundled/supported package. These components therefore might be free of charge.
Possible Financial Consequences
If an organisation decides it is important to eliminate future risks regarding security, including Java updates, security patches and bug fixes, it needs to acquire the relevant Java SE licenses from Oracle. To estimate a financial impact, organisations can use the information from the subscription model Oracle offers. Calculation of the financial consequences should be based on the available Oracle licensing metrics and corresponding Use rights.
- There is no sudden extra compliance risk;
- There are possible (and probably already existing) security risks when using older public versions of Oracle Java. Organisations should be aware of a relevant impact and inspect their own policies regarding security;
- If your organisation is still running Oracle Java SE 8, realise that Oracle-support will stop at the end of 2018, but other sources remain available. Organisations should check whether they are or have been using support by Oracle for Java software, and if so, how often that was the case. Based on that information an organisation can make a reasoned decision on whether the end of support will be an issue at all and determine any next steps based on that decision.
When analysing your strategy and decisions towards Oracle Java SE licensing, take into account that free and open-source alternatives for Oracle’s JDK are available. These alternatives are developed, supported and maintained by a wide range of Java members, developers and Publishers.
Softline Solutions’ consultants have ample experience in license management and ITAM processes for (amongst others) Oracle, and are able to advise and support organisations regarding Oracle Java licensing topics. Softline Solutions can assist in:
- Detection of Oracle Java software components;
- Determining possible security issues related to Oracle Java Licensing;
- Determining financial implications related to upcoming changes for Oracle Java licensing;
- Perform a full Oracle Baseline to provide insight into the current license position;
- Create a License Position Report for Oracle including an overview of financial and compliance risks and mitigating actions;
- Providing advice on renewals and contracts;
- Providing Audit support;
- Create compliance processes and procedures specifically for Oracle.