Free Updates for Oracle Java 8 Have Ended (and why that may be affecting your patch report)

Oracle, the owners of the Java programming language and development platform, stopped releasing free, publicly downloadable updates for Java 8 as of January 2019. The last public update was Java 8 Update 201. This update has been superseded by Java 8 Update 211, which includes security fixes, and is not available for public download. As a result, if you have Java 8 in your environment and receive our detailed patch report, the 3rd Party Application Patch Health section will reflect that you are 0% patched for this product!

We’ve found that Q&A format is helpful to address concerns about issues like this where there are a bunch of variables to consider. 

Q: Why is this a problem? 

A: Like lots of other software, Java needs maintenance and patching against security holes. If no action is taken, existing installs of Oracle Java 8 update 201 will remain vulnerable to any security vulnerabilities discovered after January 2019. 

Q: What are the replacement options for Oracle Java 8? 

A: There is an open-source variant called OpenJDK that is freely available. The two most common distributions of OpenJDK are Amazon Corretto and AdoptOpenJDK. The Amazon Corretto build seems to be more popular.  However, while these non-Oracle open-source versions of Java are available and are free and perpetually supported, these open-source Java builds may not be fully compatible with Oracle Java code. 

Additionally, Oracle Java 11 and 12 are available, and are listed as a Long-Term Release, meaning that free updates will be available for a while (for comparison, Java 8 was released four years ago). However, it’s not known if Java 11 or 12 is backwards-compatible with Java 8 in all circumstances. The OpenJDK project is chiefly focused with maintaining Java 8 compatibility. 

Q: How do I determine if my business is impacted? 

A: This is perhaps the trickiest question of all! Ideally, your line-of-business software vendor should have contacted you and informed you of this change in Java supportability; it’s really their problem to make sure the code they’re writing accounts for any platform changes that might impact their users. If you suspect that one or more of your business applications use Java, give us a call and we can help you determine that with our reporting tools. 

Q: We’ve determined that we need to run Java 8 on our user systems for a required business application. What do we need to do in order to stay up-to-date with Java? 

A: There are two options: 

1. Consult your software vendor to see if Amazon Corretto is supported as a replacement for Oracle Java. If so, contact Suite3; as long as you have a ManageSuite RMM agreement with us, we can perform a silent conversion of all your Java installations to Corretto. If you have a patch management agreement with Suite3, Corretto will be maintained in the same manner Java had been to this point. This is the preferred option for ease of maintenance and management. 

2. Pay Oracle for its update subscription services, which are licensed per-seat. This would require manual intervention by the client to download each new release from Oracle as the releases are issued, and then contact Suite3 to have the update deployed and installed. We’ll be able to automate the upgrade somewhat, but the download from Oracle requires manual sign-in by the licensee. 

With either Oracle or Amazon Java implementations, Suite3 will remain able to report on installed version health with our patch reports, same as we always have. 

Q: How much does the Oracle Java Subscription Plan cost? 

A: The subscription itself $2.50 per user per month, with a minimum one-year subscription per user. Other costs, such as installation and maintenance, depend on your service agreement with Suite3.