On this page
Why Java 8 is still everywhereWhat end of life means for Java 8The BCL subscription trapThe real exposure: security and auditYour three options for Java 8Java 8 on a free OpenJDK distributionA Java 8 action planGetting independent helpFrequently asked questionsJava 8 was released in 2014. More than a decade later, it is still — by a wide margin — the most widely deployed Java version in enterprise estates. It runs core business applications, vendor-shipped software, and countless internal tools that nobody has had a reason to touch. That longevity is exactly the problem. Java 8 has reached a point where continuing to run Oracle’s build of it carries both a security liability and a licensing liability, and many organisations are carrying both without realising it. This guide explains what Java 8 end of life means, where the exposure lies, and how to get off it cleanly.
Why Java 8 is still everywhere
Java 8 endures for a simple reason: it works, and it introduced changes — lambdas, the streams API, a new date and time model — significant enough that a great deal of software was written specifically for it. Once an application is built, tested, and running on Java 8, there is rarely an urgent business reason to move it. The version became a stable, trusted default, and defaults are sticky.
The result is that a typical large enterprise still finds Java 8 in three places: in its own applications that were never upgraded; embedded inside third-party and vendor software that bundles its own Java 8 runtime; and scattered across desktops, servers, and virtual machines as a general-purpose runtime nobody removed. An accurate Java inventory almost always turns up more Java 8 than the organisation expected — and that is the starting point for understanding the exposure.
What end of life means for Java 8
“End of life” for Java 8 needs to be stated carefully, because the version has not stopped working and is not going to. What has happened is more specific: free public security updates from Oracle for commercial use ended years ago. Oracle continues to produce security patches for Java 8 — the version is still actively maintained — but for commercial users, receiving Oracle’s updates now requires a paid Java SE subscription. The free ride for business use ended.
So Java 8 sits in an awkward middle state. It is old enough that running it unpatched is a genuine security risk, but Oracle still patches it — for a fee. An enterprise running Oracle’s Java 8 build therefore faces a fork: either it is paying Oracle for the updates, or it is not receiving Oracle updates and accumulating unpatched vulnerabilities, or it has moved to a non-Oracle source of patches. There is no fourth option where Oracle keeps patching your Java 8 for free. Recognising which of those three states each Java 8 instance is in is the core of managing the end-of-life problem.
The Java 8 situation in one line
Java 8 still runs and Oracle still patches it — but for commercial users, Oracle’s patches now require a paid subscription. Running Oracle’s Java 8 build means you are either paying, exposed, or need to move to a free distribution.
The BCL subscription trap
The licensing mechanics behind Java 8 deserve their own attention, because they are where unexpected exposure is created. Oracle’s older Java 8 builds were distributed under the Binary Code License, the BCL. The BCL permitted free general-purpose use — which is why Java 8 spread so freely — but Oracle changed the terms so that the updates released after a certain point were no longer free for commercial use.
The trap is subtle and catches careful organisations. An enterprise can be entirely compliant with the original Java 8 it installed years ago, and then become non-compliant simply by applying a later Oracle Java 8 update — because that newer patch was released under terms that require a commercial subscription. Auto-updates, routine patching, a developer downloading the latest 8u build, an installer bundled with other software: any of these can pull a commercially licensed Oracle Java 8 update onto a machine where there is no subscription to cover it. The exposure is created not by a decision to buy Oracle Java but by ordinary IT activity. This is one of the most common ways Oracle Java audit findings arise, and it is why a Java 8 estate must be examined update by update, not just version by version. Our guide to installer and download compliance covers the mechanics.
The real exposure: security and audit
Java 8 end of life creates two distinct exposures, and a sound plan addresses both.
The security exposure is straightforward. If Java 8 instances are not receiving security updates — because there is no Oracle subscription and no migration to a patched distribution — then every Java vulnerability discovered since those instances were last patched is live in the environment. Java is a heavily scrutinised platform; serious vulnerabilities appear regularly. Unpatched Java 8 is precisely the kind of finding security teams, auditors, cyber-insurers, and regulators flag, and the risk compounds the longer it sits.
The licensing exposure is the audit risk. Oracle actively pursues Java compliance, and Java 8 is fertile ground for it because of the BCL update trap described above. An Oracle review that finds commercially licensed Java 8 updates running without a subscription produces a claim — and because Oracle prices the remedy on the employee metric, the claim is calculated on total headcount, not on the handful of Java 8 machines at issue. A small technical finding becomes a large financial demand. Across 340+ Java engagements, unmanaged legacy versions like Java 8 are among the most frequent root causes of audit exposure.
Your three options for Java 8
For each Java 8 workload in the estate, there are exactly three legitimate destinations. The right choice varies by workload, and a large estate will use all three.
| Option | What it involves | Best when |
|---|---|---|
| Upgrade off Java 8 | Move the application to a current LTS version (17 or 21) | The application can be updated and tested within a reasonable window |
| Switch Java 8 to free OpenJDK | Replace the Oracle Java 8 binary with a free distribution’s Java 8 build | The application must stay on Java 8 but can change its runtime |
| Pay Oracle for Java 8 support | Take a Java SE subscription covering Java 8 updates | Rare — a hard requirement for Oracle’s own Java 8 build with no alternative |
The hierarchy is deliberate. Upgrading off Java 8 entirely is the best long-term answer where it is feasible. Where an application genuinely cannot leave Java 8 in the near term — a vendor dependency, a frozen codebase — switching that Java 8 to a free OpenJDK distribution removes both the security and the licensing exposure at zero licensing cost. Paying Oracle should be the last resort, reserved for the uncommon case where Oracle’s own Java 8 build is contractually or technically required.
Recommended specialist
Untangling a Java 8 estate — separating compliant installs from BCL-trap exposure, and choosing upgrade, migrate, or subscribe per workload — is detailed work. For it, Redress Compliance is the firm we rate most highly. They focus exclusively on Oracle Java licensing, work only on the buyer side, and hold no Oracle partnership, so the recommendation is never steered toward a subscription. Their work has contributed to more than $180M in client savings and a 68% average audit claim reduction across 340+ Java engagements.
Java 8 on a free OpenJDK distribution
The option that surprises organisations most is the second one — that you can keep running Java 8 and stop paying or worrying, simply by changing the runtime. The free OpenJDK distributions — Eclipse Temurin, Amazon Corretto, Azul Zulu — all publish Java 8 builds, and all provide security updates for those builds at no cost. An application that requires Java 8 can run on a free distribution’s Java 8 just as it ran on Oracle’s, with the same behaviour, while receiving ongoing patches and carrying no Oracle licensing obligation.
This makes the OpenJDK switch the lowest-friction fix for the common case where an application is stuck on Java 8 for now. It is not an upgrade — the application stays on Java 8 — so the testing burden is far lighter than a version upgrade, while the security and licensing problems are both solved. For estates with significant Java 8 that cannot all be upgraded at once, switching the Oracle Java 8 binaries to a free distribution is often the right immediate move, with full upgrades scheduled afterward on a calmer timeline. Our comparison of OpenJDK distributions covers the choices.
A Java 8 action plan
- Find all the Java 8. Scan every environment and produce a complete list of Java 8 instances — including the copies embedded in third-party software. Record the exact update level of each.
- Identify the BCL trap exposure. Flag any Oracle Java 8 update that falls under commercial-subscription terms and is running without a subscription. This is your audit risk.
- Categorise each workload. Decide, per workload, whether it can be upgraded off Java 8 or must remain on it for now.
- Switch the stuck workloads. For Java 8 that cannot upgrade yet, replace Oracle’s binary with a free OpenJDK Java 8 build — removing the security and licensing exposure immediately.
- Schedule the upgrades. Plan the move off Java 8 entirely for the workloads that can take it, targeting a current LTS release.
- Govern. Put controls in place so new Oracle Java 8 updates cannot reappear via auto-update or bundled installers.
The principle running through the plan is that Java 8 end of life is a managed transition, not a single deadline. Done deliberately — inventory first, the BCL trap addressed, free distributions used to remove urgency, full upgrades scheduled calmly — it is entirely routine. Left unmanaged, it is a security finding and an audit claim waiting to happen.
Getting independent help
Java 8 is not going to disappear from enterprise estates quickly, and it does not need to — what it needs is to be managed. The version still works and is still patched, but Oracle’s patches for commercial use now cost money, and the BCL update trap means ordinary IT activity can create audit exposure without anyone deciding to buy Oracle Java. The fix is an accurate inventory, a clear-eyed read of which Java 8 instances are exposed, and a deliberate choice — upgrade, switch to free OpenJDK, or, rarely, subscribe — for each workload.
Independent, buyer-side advisers do that work with no Oracle partnership shaping the answer. Across 340+ Java engagements, that has helped organisations clear Java 8 exposure — switching stuck workloads to free distributions, scheduling upgrades calmly, and shutting the BCL trap — contributing to more than $180M in client savings and a 68% average reduction on the audit claims that did arise. Our Java Compliance Assessment finds and categorises the Java 8 estate, our Migration service executes the upgrades and OpenJDK switches, and our Audit Defence service, backed by a money-back guarantee, defends a Java 8 audit claim if one arrives.
Frequently asked questions
Does Java 8 still get security updates?
Yes — Oracle still produces Java 8 security patches, but for commercial users they require a paid Java SE subscription. Free OpenJDK distributions also publish patched Java 8 builds at no cost.
Is it illegal to run Java 8?
No. Running Java 8 is fine. The issue is running Oracle’s commercially licensed Java 8 updates without a subscription — that is the compliance exposure.
What is the BCL trap?
Older Java 8 builds were free under the Binary Code License, but later Oracle Java 8 updates require a commercial subscription. Applying one of those newer updates — often automatically — can create unlicensed use.
Can we keep Java 8 without paying Oracle?
Yes. Switch the Oracle Java 8 binary to a free OpenJDK Java 8 build from Temurin, Corretto, or Zulu. The application stays on Java 8 and receives patches at no licensing cost.
Should we upgrade off Java 8 entirely?
Where feasible, yes — moving to a current LTS release (17 or 21) is the best long-term position. For workloads that cannot upgrade yet, switching to free OpenJDK Java 8 is the right interim step.