Notice for IT System Administrators re End of Public Updates for Java SE 8

News

Published: 15Apr2019

IT System Administrators: Please be aware of the following announcement regarding Java SE 8 from Oracle.

WHAT IS HAPPENING

Java SE 8 is going through the End of Public Updates process for legacy releases. According to the Oracle Java SE Support Roadmap, Oracle will continue to provide free public updates and auto updates of Java SE 8 to Personal Users until at least the end of December 2020. For Commercial Users, only those who have the Binary Code License will continue to have access to updates.

The next Critical Patch Update will be published on April 16th, 2019. We do not have confirmation if any upcoming vulnerabilities will affect Java 8, nor do we know the risks of continuing to run Java 8 without critical updates. This information will only be available once the patch is released. However, without licensing, no patches will be available. See Critical Patch Updates, Security Alerts and Bulletins

WHO IS AFFECTED

System administrators managing servers are affected only if the Oracle Java SE was installed (previously packaged by default with Redhat).

How to verify if your servers are affected?

  1. Verify version of Java installed:
    • Windows: CMD -> java -version
    • Linux: terminal -> java -version

If the result shows "Java(TM) SE Runtime Environment", then an Oracle Java has been installed on the system;

  1. If the system requires Oracle Java, verify if the concerned applications support free alternatives such as OpenJDK;
  2. Some 3rd party applications come bundled with Java. In this case, verify with the application vendor if Java is supported by them, or requires external support.

Note: Desktop computers should not require licenses to run the latest version of Java SE. However, we strongly recommend reviewing the version of Java installed on all desktops not managed by central ITS to validate if you need licenses or not.

WHAT TO DO

If your system is vulnerable, do one of the following:

  1. Purchase a license with Oracle to receive updates (fees will apply based on number of CPU/Core on the physical server hosting the system). Production systems are the only ones that need to be licensed. For Physical servers or non-centrally managed VMs, please contact Oracle representative Thomas McDonald thomas.mcdonald [at] oracle.com for quotes and pricing cost.

 

  1. Migrate the Java SE version to OpenJDK (see the following article https://developers.redhat.com/blog/2018/11/05/migrating-from-oracle-jdk-to-openjdk-on-red-hat-enterprise-linux-what-you-need-to-know/)

 

  1. Upgrade the Oracle SE version to a newer version (e.g., OpenJDK 11, which should have feature parity with Oracle JDK 11). As this is a major version upgrade, it may be incompatible with your applications or require rework to ensure stability and functionality. Testing should be performed before upgrading. The article below has some helpful information as well.https://blog.jetbrains.com/idea/2018/09/using-java-11-in-production-important-things-to-know/

For systems that do not require a license, we will be working on a solution to provide a copy of Java updates accessible to LAN admins. In the meantime, please contact the IT Service Desk to request our assistance.

CONTACT

If you require assistance at any point, please contact the IT Service Desk (ITSupport [at] mcgill.ca).