Oracle Java Security Patching
Java is everywhere in enterprise IT. That ubiquity makes patching critical.
Missing updates exposes your organization to serious security risks and potential compliance issues. The challenge is staying patched without paying Oracle’s subscription fees.
This guide explains how Oracle’s patch process works, how to leverage OpenJDK and third-party support, and provides a clear roadmap to keep Java secure and compliant at minimal cost.
Pro Tip: “Skipping patches costs more than paying for them — eventually.”
Why Java Security Updates Matter
Java vulnerabilities are frequent and can be high-impact. Each quarterly security update from Oracle typically fixes dozens of Java flaws, including critical bugs that allow remote exploits.
One outdated Java version on a single server can expose thousands of devices or user sessions, especially if that Java runtime is widely deployed in your environment. In other words, a single unpatched JVM can become a broad attack surface.
Regular patching protects not just your systems but also your licensing posture.
Auditors often flag outdated Java builds as a compliance risk. From a security compliance standpoint, running an end-of-life Java release may violate internal policies or industry regulations.
And from a licensing standpoint, using Oracle Java beyond its public updates without a subscription can put you out of compliance with Oracle’s terms.
In short, staying current with Java updates isn’t optional – it’s essential for both security and audit readiness.
How Oracle Handles Java Updates
Oracle delivers Java Critical Patch Updates (CPUs) on a fixed quarterly schedule (typically January, April, July, October).
These patches address security vulnerabilities in the Java platform and are provided for the latest supported Long-Term Support (LTS) versions (such as Java 8, 11, 17, and newer LTS releases).
Oracle makes these updates available through secure channels to customers with an active Java SE subscription (or other qualifying support contract).
If you don’t have a valid Oracle subscription, you generally can’t legally obtain or deploy those CPU patches. Oracle’s Java SE updates after the public end-of-life are locked behind a support login.
In practical terms, that means organizations without a subscription are not entitled to the quarterly binary patches for older Java versions. Attempting to use Oracle’s patched JDK builds without paying is a license violation.
Oracle’s stance is clear: either you pay for support to get timely patches for legacy Java, or you forego Oracle’s updates altogether. This has driven many organizations to seek alternatives for keeping Java secure.
Security Updates Without Oracle
Fortunately, you can get Java security updates without paying Oracle by using the OpenJDK ecosystem.
OpenJDK is the open-source reference implementation of Java, and it provides the same base code patches that Oracle uses in its CPUs.
In fact, most critical fixes are contributed to OpenJDK by Oracle and others, and Oracle’s commercial and open-source builds include those fixes.
This means the security patches themselves are freely available in source form and end up in non-Oracle Java distributions.
Several community and third-party builds of OpenJDK release updates on a similar schedule to Oracle’s CPUs. For example, Eclipse Temurin (from the Adoptium project), Amazon Corretto, Microsoft Build of OpenJDK, and Red Hat OpenJDK all provide free Java runtime downloads with the latest security fixes.
Often, these updates are released within days of Oracle’s release, keeping you in sync with critical patches. With a bit of automation, you can replace Oracle JDK with one of these and still get your quarterly fixes.
However, there is a catch: you must stay on a supported Java version to continue receiving free patches.
Community OpenJDK builds only provide updates for the active LTS branches (and sometimes one or two older versions during a transition). They will not indefinitely patch very old versions for free.
In practice, this means you need to upgrade your Java runtime periodically instead of expecting to patch an aging version forever.
For example, if you’re on Java 8 without Oracle support, you should plan to move to Java 11 or 17 to keep getting updates from open-source providers.
Using OpenJDK security updates is free, but it shifts the burden to you to adopt new Java versions regularly.
Pro Tip: “You’re not paying for security; you’re paying for stability.”
In other words, Oracle’s subscription isn’t the only way to get security fixes – it’s the way to get them without having to upgrade your Java version as frequently. If you skip Oracle, you can still be secure, but you’ll need a solid upgrade plan to maintain stability.
Third-Party Java Support Options
If you want the stability of longer-term support without Oracle’s subscription, third-party vendors can bridge the gap.
Several companies offer their own builds of OpenJDK with guaranteed security patch support for extended periods.
These vendors essentially continue patching older Java versions (and provide professional support) under their own subscription models, often at a lower cost or with specialized services.
Below is a comparison of popular Java support options outside Oracle:
| Vendor | Supported Builds | Support Duration | Cost Model | Notes |
|---|---|---|---|---|
| Azul Platform Core | Java 6–21 | Extended LTS support | Subscription | Longest patch support (even covers legacy Java 6/7) |
| Red Hat OpenJDK | Java 8, 11, 17 | For RHEL customers | Bundled with Red Hat OS | Ideal for Red Hat enterprise users (support tied to RHEL subscription) |
| Eclipse Temurin (Adoptium) | Java 11, 17, 21 | Community-driven (LTS only) | Free | Frequent updates, no direct cost (community support) |
| Amazon Corretto | Java 8–21 | Long-term (LTS and current) | Free | Backed by AWS, free production-ready binaries |
These options vary in coverage and cost. For instance, Azul’s Platform Core offers perhaps the longest support timelines in the industry — they still issue security patches for Java 6 and 7, which Oracle long ago stopped updating.
That makes Azul attractive if you have very old Java-based applications you can’t upgrade quickly (though you’ll pay a subscription for that peace of mind).
Red Hat’s OpenJDK support is included for customers running Red Hat Enterprise Linux and covers the major LTS versions used in that ecosystem; however, it’s not a standalone service for non-RHEL environments.
Adoptium’s Eclipse Temurin and Amazon Corretto are completely free distributions.
They provide regular updates for the currently supported versions, but they don’t offer paid support contracts—you rely on the community and community-driven schedules. Corretto, being backed by Amazon, is tested and used internally at AWS, which gives some confidence in its stability.
When evaluating third-party Java support, look beyond just the sticker price. The critical factor is how reliably and quickly a vendor delivers security patches. Some vendors pride themselves on releasing patches on the same day Oracle does (or even sooner, since they participate in the OpenJDK vulnerability group).
Others might lag, leaving you exposed longer.
Also consider the duration of support: if you need to stay on Java 8 or 11 for many years, choose a provider that commits to patching those versions for the long haul.
Pro Tip: “Pick a vendor who patches faster than Oracle, not cheaper.” In other words, a low-cost support contract is worthless if the vendor is slow to roll out critical fixes.
Prioritize vendors with a strong track record of timely updates and robust support, even if they cost a bit more. In security, speed, and reliability, a slight discount is worth less than nothing.
Using Free LTS via OpenJDK
For most enterprises, the smartest path to Java security without Oracle is to adopt a Long-Term Support release from the OpenJDK community and keep upgrading regularly.
In practice, this means the following:
- Adopt the current LTS version – Choose a stable LTS Java version (for example, Java 17 or Java 21 at present) as your standard platform. Deploy that version across your applications and systems, replacing any outdated versions.
- Stay on that version for its supported lifetime – Use that chosen LTS for as long as it’s receiving free updates. During this period (often several years), apply all incremental security patches released for it. This gives you a stable baseline with ongoing fixes.
- Plan to upgrade every 2–3 years – When the next LTS release arrives, plan to transition to it before your current version’s community support ends. Java LTS releases now come roughly every two years. A good rule of thumb is to upgrade to the new LTS within 2 to 3 years of its release. For example, if you standardized on Java 17, you would plan to move to Java 21 or the next LTS on a reasonable schedule rather than staying on 17 indefinitely.
- Repeat the cycle – By continuously moving from one LTS to the next promptly, you never let your Java runtime fall out of support. Each upgrade ensures you’re on a version that will continue to get free security patches.
This approach avoids the pitfall of running expired builds. You won’t wake up one day to find yourself stuck on unsupported Java with known vulnerabilities and no patches available (or only available for a fee). Instead, you’ll always be either on a current LTS or on a path to the next one.
All of this can be achieved at zero licensing cost. Yes, upgrades require effort in testing and development, but modern Java LTS versions strive for high compatibility.
The cost and effort of an upgrade every couple of years are usually far less than the cost of an Oracle subscription or, worse, dealing with a security breach caused by an obsolete Java platform.
Crafting a Non-Oracle Support Strategy
How can you put all these pieces together? Here’s a step-by-step strategy for keeping Java secure and supported without Oracle:
1️⃣ Choose a supported OpenJDK build or vendor. Decide on a single Java distribution as your enterprise standard. This could be a free community OpenJDK build (like Temurin or Corretto) or a commercial support vendor like Azul. The key is to pick one source of truth for Java in your organization.
2️⃣ Standardize Java usage enterprise-wide. Once you’ve chosen, roll it out everywhere. Ensure all teams and applications use the approved Java runtime. Remove or replace any Oracle JDK installations or random Java versions floating around. Standardizing on a single version and distribution simplifies patch management and compliance.
3️⃣ Automate patch testing and deployment. Set up an automated process to handle Java updates every quarter. For example, when a new security update is released, have a pipeline to download the new JDK, run your application test suite against it, and then deploy it to production if all looks good. Automation reduces the lag between patch availability and deployment, keeping you safer.
4️⃣ Upgrade to new LTS releases before community support ends. Mark your calendar for LTS transitions. Don’t wait until your current Java version reaches end of life. Begin planning the next upgrade well in advance. Ideally, start evaluating the next LTS release as soon as it’s out, so you can migrate your applications to it smoothly while your current version is still supported. Regular upgrades (every 2–3 years) should become routine rather than a major drama.
5️⃣ Document your patching policy for auditors. Write down your Java maintenance strategy as an official policy. Include details like which distribution you use, how often you apply patches, and your upgrade timeline for new versions. Having this documentation will satisfy auditors and internal stakeholders that you have control over Java licensing and security. It also helps align your IT, security, and procurement teams on the plan.
Pro Tip: “Upgrading every two years is cheaper than renewing Oracle every three.” In other words, if you discipline yourself to adopt each new LTS on a two-year cycle, you avoid the scenario of paying Oracle for an extended third year (or more) of support on an old version. Regular upgrades might sound like work, but they prevent costly lock-in and surprise expenses.
Checklist – Staying Secure Without Oracle
Use this quick checklist to maintain Java security and compliance without an Oracle subscription:
✅ Inventory all active Java versions in use. Map out every Java runtime version running in your environment (servers, applications, desktops). You need a clear baseline before making changes.
✅ Choose one approved OpenJDK distribution/vendor. Select and approve a single Java platform to use (e.g., Eclipse Temurin, Amazon Corretto, or a vendor’s build) and communicate this choice across the organization.
✅ Replace Oracle JDK across the company. Uninstall or phase out Oracle JDK installations company-wide. Deploy your chosen OpenJDK runtime in its place. Ensure new systems use the approved Java by default.
✅ Automate quarterly patch adoption. Implement a process (scripted or via configuration management tools) to fetch and apply Java security updates every quarter. Set targets to apply each Java update within a short window after release (e.g., 1-2 weeks).
✅ Track Java lifecycle and support dates. Keep a schedule of when each Java version exits free support. For each LTS you deploy, note its end-of-support date for community updates. Use this to plan upgrade projects well in advance.
5 Pro Tips
1️⃣ Treat patching as security, not just maintenance. Make Java patching a core part of your security program. It’s not an “optional” maintenance task—it’s vital protection. Prioritize it like you would an incident response drill.
2️⃣ Never rely on outdated Java 8 builds without paid support. Java 8 was great, but if you’re still running it without Oracle or third-party support, you’re at high risk. Either upgrade to a newer LTS or get a support contract that backports fixes to Java 8. Don’t assume “it still works” is good enough—the vulnerabilities are piling up.
3️⃣ Automate LTS upgrade reminders. Set reminders or create a timeline for Java version upgrades. For example, schedule a review of the next LTS release as soon as it’s available. By automating these reminders (in your project tracking or calendars), you ensure the team prepares for upgrades regularly rather than at the last minute.
4️⃣ Keep Oracle JDK off new deployments. Enforce a policy that no new server or application should launch using Oracle’s JDK. This avoids accidentally introducing a license liability or a dead-end on support. Make the approved OpenJDK part of your standard build and CI/CD pipeline so developers use it by default.
5️⃣ Align software asset management with InfoSec. Combine your Software Asset Management (SAM) efforts with your InfoSec policies to control Java. Licensing and security go hand in hand here. Ensure your asset management team tracks Java installations and licenses, while the security team enforces patching. A joint approach will catch any stragglers (like an unauthorized Oracle JDK install or a missed patch) before they become a problem.
Related articles
- How to Get Java Security Updates Without Oracle
- Third-Party Java Support Providers (Overview)
- Managing Out-of-Date Java Versions Securely
- Oracle Java vs OpenJDK Patch Cycle FAQ
5 Actions to Take After Reading
1️⃣ Audit your Java estate for unpatched versions. Immediately review all systems to identify any outdated or Oracle-branded Java installations. This audit will show you where the most urgent risks lie.
2️⃣ Select your OpenJDK provider. Choose which OpenJDK distribution or support vendor your organization will standardize on (e.g., Azul Platform Core, Eclipse Temurin, Amazon Corretto, etc.). Obtain the latest JDK from that provider for the Java version you plan to use.
3️⃣ Establish a Java patch cycle aligned with Oracle’s schedule. Build your internal process to check for and apply Java updates every quarter (coinciding with Oracle’s CPU release dates). Mark those dates on your operations calendar and allocate time for testing and deployment of Java patches.
4️⃣ Create a two-year Java upgrade roadmap. Plan out the next couple of years of Java version changes. For each critical application, determine when you will move it to the next Java LTS. Document this in a roadmap so that budget, testing, and development resources can be allocated in advance.
5️⃣ Eliminate Oracle Java from your environment by the next renewal window. If you currently have Oracle Java licenses or are midway through a support contract, set a target to retire all Oracle JDK usage by the time that contract is up. This way, you can confidently choose not to renew the Oracle subscription and avoid those costs. Even if you don’t have a contract, make it a goal that within the next cycle (say 6-12 months), your company is completely Oracle-free for Java. This will solidify your independence and ensure all future Java updates come from either open-source or more cost-effective sources.
By following these strategies and action steps, you can keep your Java platforms secure and up to date without writing big checks to Oracle.
You’ll maintain compliance, reduce risk, and gain more control over your Java roadmap — all while keeping costs in check. With a bit of planning and the right support model, staying Java-secure without Oracle is entirely achievable for enterprise teams.
Read about our Java Advisory Services
