Client Profile
Avis Car Rental is one of the world's largest car rental networks, operating across more than 180 countries with a fleet of approximately 650,000 vehicles and serving millions of leisure and business travel customers annually. The enterprise technology environment supports an exceptionally complex operational requirement: reservation management, fleet logistics, counter operations, mobile customer applications, loyalty programme management, and financial reconciliation across a globally distributed infrastructure. Java forms a core component of this technology stack. Java-based applications handle reservation processing at rental counters, fleet tracking integration, loyalty platform services, and a range of integration middleware connecting Avis's third-party travel distribution partners to the central reservation system.
Prior to Oracle's January 2023 licensing model change, Avis had managed Java licensing under the legacy framework, with Oracle JDK deployed on specific server workloads that had been identified as requiring Oracle's distribution. Over the preceding three years, Avis's technology operations team had also deployed OpenJDK distributions on a significant number of servers as part of a cloud migration and infrastructure modernisation programme — but this distinction between Oracle JDK and OpenJDK was not consistently reflected in the organisation's IT asset management records at the time Oracle initiated its compliance engagement.
The Challenge
Oracle's Java compliance team initiated the engagement with a data request covering all Java installations across Avis's server and desktop infrastructure. Based on the resulting scan data — which identified Java runtime environments on hundreds of servers and thousands of managed endpoints — Oracle's team applied the January 2023 Universal Subscription employee-count methodology to the full Avis employee population. This produced a claimed licence requirement covering all Avis employees globally, generating an exposure estimate of $4.7M comprising approximately $2.2M in current-year subscription and $2.5M in claimed back-payments for the period since January 2023.
Oracle's calculation rested on two assumptions that Redress's technical team identified as factually incorrect for Avis's environment. First, Oracle's scan had detected Java runtime environments without distinguishing between Oracle JDK — which triggers Oracle's commercial licensing requirements — and OpenJDK distributions, which carry no Oracle licence obligation regardless of the employee-count model. Second, Oracle's employee-count metric applied to Avis's entire global workforce, when the model is only contractually applicable to organisations where Oracle JDK is in active use — a qualification that requires technical evidence to establish rather than assumption to refute.
The stakes were substantial. At $4.7M, Oracle's claim represented a material financial exposure. More significantly, Avis's technology leadership was concerned that an unresolved Java compliance position could affect the company's enterprise licence agreements with Oracle, which covered Oracle Database infrastructure critical to the reservation and fleet management platforms. Redress Compliance was engaged within days of Oracle's initial approach to manage the technical and commercial response.
The Approach
Redress Compliance's engagement began immediately with a full Java deployment audit across Avis's server estate and managed endpoint environment. The audit used a combination of automated scanning tools and manual verification to identify the precise distribution — Oracle JDK, OpenJDK, or third-party certified OpenJDK distribution — for every Java installation identified in Oracle's scan data.
The technical audit produced a definitive deployment inventory. The analysis confirmed that across the server environment, the overwhelming majority of Java installations were OpenJDK or Amazon Corretto — distributions that carry no Oracle commercial obligation. Oracle JDK was present on 68 servers: legacy application servers running Java-based integration middleware and a set of Oracle Forms and Reports server workloads where Oracle JDK was an explicit application dependency. On the managed endpoint environment, the audit confirmed that the Java detections in Oracle's scan were attributable to a combination of browser-embedded Java plug-in artefacts and third-party enterprise software packages whose Java components were licensed through their respective software vendors.
Redress prepared a detailed technical response to Oracle's compliance team presenting the full deployment inventory, with per-server evidence distinguishing Oracle JDK from OpenJDK, and a commercial analysis establishing that Oracle's employee-count subscription model was applicable only to the 68 Oracle JDK server workloads rather than to Avis's entire employee population. The response also challenged the retroactive element of Oracle's claim: the $2.5M back-payment assertion was based on Oracle's application of the 2023 employee metric to periods prior to its introduction, which Redress characterised as commercially and contractually unsupportable.
Oracle's compliance team requested a supplementary round of technical clarification on the Amazon Corretto classification and the third-party software vendor Java licences. Redress provided the supporting documentation within five business days. Oracle's team reviewed the complete submission over a three-week period.
The Outcome
Oracle withdrew the $4.7M claim in its entirety. The audit closed with a complete zero-cost outcome: no fines, no new licence fees, no settlement payment, and no back-payment obligation. Oracle acknowledged in its written closure communication that Avis's Java deployment, as established by the Redress audit, did not support the claimed licence deficiency.
Following closure of the Oracle compliance engagement, Avis implemented a Java remediation programme developed in consultation with Redress. The 68 Oracle JDK server workloads were assessed individually for migration feasibility. Forty-two servers were migrated to Amazon Corretto over a six-month period, reducing the residual Oracle JDK footprint — and any future Oracle Java subscription requirement — by 62%. The remaining 26 servers retained Oracle JDK under a correctly scoped annual subscription at a cost of $62,000 per year — a reduction of 99% from Oracle's initial demand of $4.7M, and a fraction of the $2.2M annual subscription Oracle had originally sought.
Avis also implemented a Java governance framework, including mandatory IT asset management fields distinguishing Oracle JDK from OpenJDK, a procurement control requiring new Java deployments to default to OpenJDK unless a specific business case is approved for Oracle JDK, and an annual Java compliance review as part of the IT audit cycle. This framework eliminates the environmental ambiguity that enabled Oracle to construct an inflated initial claim, and ensures that any future Oracle compliance engagement begins with Avis holding an independently verified, accurate picture of its Java estate.
Key Takeaways
- Oracle's Java audits begin with the assumption of maximum exposure. Oracle's compliance team applies the employee-count metric to the broadest possible definition of the organisation's Java estate. This produces an initial claim that is almost always significantly higher than the actual compliant licence requirement once the estate is properly analysed.
- OpenJDK and Oracle JDK are not the same for licensing purposes. The most common and impactful finding in Java audits is that a significant portion of identified Java installations are OpenJDK or certified OpenJDK distributions carrying no Oracle commercial obligation. This single factor reduced Avis's exposure from $4.7M to near-zero.
- Third-party software vendor Java components are not end-user licence obligations. Java components embedded in commercial enterprise software — ERP, analytics platforms, security tools — are licensed by the vendor, not by the end-user organisation. Including these in a compliance response significantly inflates the apparent exposure.
- Retroactive liability claims require contractual challenge, not acceptance. Oracle's compliance team routinely includes back-payment claims covering periods before the 2023 Universal Subscription was introduced, or periods before the organisation had been formally notified of a compliance issue. These claims should be challenged on their contractual merits.
- Independent advisory before any response to Oracle is the single most impactful decision. Organisations that respond to Oracle's compliance engagement without independent advisory routinely accept inflated claims. Organisations that engage Redress Compliance first resolve Oracle Java claims at a fraction of Oracle's initial demand — or, as in Avis's case, at zero.
Received an Oracle Java compliance communication?
Redress Compliance audits Java environments and manages Oracle's compliance process — achieving zero-cost outcomes where Oracle's claims lack technical foundation.