An email being sent by Oracle sales representatives about upcoming critical security updates for Java 8 being only available to licensed users has sparked controversy due to its wording that to some feel like it is an extortion or a scare tactic.
In November 2018, Oracle announced that after January 2019, security updates for Java 8 SE would no longer be available for business or commercial use without an active license.
"Java SE 8 is going through the End of Public Updates process for legacy releases. Oracle will continue to provide free public updates and auto updates of Java SE 8, until at least the end of December 2020 for Personal Users, and January 2019 for Commercial Users.", Oracle explained in an advisory. "Personal Users continue to get free Java SE 8 updates from Oracle at java.com (or via auto update), and Commercial Users continue to get free updates to Java SE 8 from OTN for free under the BCL license. Starting with the April 2019 scheduled quarterly critical patch update, Oracle Customers can access updates to Java SE 8 for commercial use from Oracle through My Oracle Support and via corporate auto update where applicable (Visit My.Oracle Support Note 1439822.1 - All Java SE Downloads on MOS – Requires Support Login)."
In an email received by Alex Rice, founder and CTO of HackerOne, an Oracle Java account manager states that a "non-publicly available, critical patch update for Java 8" would be released on April 16th 2019 and would only be available to customers if they have an active license. It then goes on to say that without these updates installed, it could leave "your server and desktop environment exposed and vulnerable."
While Oracle did previously announce that future updates for Java 8 would only be for paid license holders, Rice felt that the account representative was using this as a scare tactic in order to convince him to purchase a license, especially when it stated that "Java Version 8 or later" would require a license.
Even stranger, Rice told BleepingComputer that HackerOne has "no commercial relationship with Oracle" and that the email "was unexpected".
The full text of the email reads:
This is an important Java functionality and security notice for the 4/16 Critical Release.
Hope this finds you well. I am reaching out to make sure you are aware that the first quarterly non-publicly available, critical patch update for Java 8 will be released April 16th. Any non-oracle applications and servers running Java Version 8 or later will require a license in order to continue receiving patches and updates, beyond the release. Without proper licensing in place, patching and updating will not be available, possibly leaving your server and desktop environment exposed and vulnerable.
I want to make sure you have the resources and information you need in this transition.
If this is something you feel needs to be addressed, please let me know and we can set something up accordingly pending availability.
In response to Rice's tweet about the email, some defended Oracles requirement to have users pay for support on an end of life product. To Rice and others, the email felt more like a ransom demand, extortion attempt, or scare tactic.
BleepingComputer has contacted Oracle with questions regarding this email, but had not heard back at the time of this publication.
Update 3/29/19 6:31 PM EST: Oracle has told BleepingComputer that they are declining comment on this story.
Comments
GT500 - 4 years ago
If I remember right, Oracle's intention is to offload maintenance of freeware versions of the JDK to the OpenJDK project. I'm assuming that once this happens, the JRE will essentially cease to exist, although I imagine that will be up to the OpenJDK project. Right now they appear to only maintain an open source version of the JDK for Linux, so I don't know how feasible it'd be for them to also try to maintain the JRE, or if they'd even be willing to do it.
Hopefully this will get software built on Java to switch to another programming language, but you know how stubborn people are... Most software that currently requires Java will probably still require it, and end up forcing everyone to keep outdated versions of Java that aren't safe...
Al_Capella - 4 years ago
I can't believe this obsolete and insecure product is still being used. Shame on any developers who still build applications based on this inferior platform.
scmpnd2 - 4 years ago
As a confirmed layperson, what does this mean for me? Occasionally I willing get an `error` message advisor that Java must be enabled in order to run something… Clearly, we do not want to continue to operate with vulnerable outdated versions; perhaps I've missed it in this column (which is certainly well done!), bit I'm unclear on what our alternative(s) will ultimately be.