Why Legacy Java Licensing Is a Live Compliance Risk

Oracle Java licensing changed fundamentally in January 2019 and again in January 2023. Organisations that locked in their Java deployments years ago and have not revisited the licensing picture are almost certainly carrying undisclosed financial exposure. In Oracle's audit programme, legacy Java versions — particularly Java 8 and Java 11 — are among the most frequently cited compliance gaps.

The challenge is that Oracle's published licensing rules differ materially by version, by update number, and by the specific licence agreement in place at the time of download. "We've always run Java 8" is not a defence if the version you are running falls outside the last freely licensed update number.

This article provides a version-by-version breakdown of what Oracle requires and where the free-use cutoffs sit. Redress Compliance advises organisations across all legacy Java versions — read on for the definitive breakdown.

Java 6: End-of-Life Since April 2013

Oracle ended public updates for Java 6 in February 2013. The final publicly available release under the original Oracle Binary Code Licence (BCL) was Java SE 6 Update 45. That update remains technically free to download and use; Oracle has not retroactively relicensed it.

The practical reality for Java 6 is that Oracle does not actively pursue commercial licences for its use. No update released since early 2013 is available without either an Oracle Java SE Subscription or an Oracle Premier Support contract. Because no security patches have been issued publicly for over a decade, any organisation still running Java 6 in production faces a far more significant operational risk — unpatched CVEs — than a licensing risk.

That said, running Java 6 on systems that receive Oracle support (for example, via Oracle WebLogic or Oracle E-Business Suite extended support) can pull Java 6 into the scope of a broader Oracle audit. In those cases, Oracle has been known to argue that the Java component requires its own subscription.

Java 6 Summary

  • Last free public release: 6u45 (February 2013)
  • Subsequent updates: available only under Oracle Premier Support
  • Active enforcement: low, but not zero when bundled with other Oracle products
  • Primary risk: operational (unpatched CVEs), not licensing

Java 7: End-of-Life Since April 2015

Oracle ended public updates for Java 7 in April 2015. The last publicly available update was Java SE 7 Update 80 (7u80). Like Java 6, Oracle retains 7u80 as a free download under the original BCL, and many organisations continue to use it without any paid relationship with Oracle.

Subsequent updates to Java 7 — available through Oracle Extended Support — require a paid support contract. Oracle's Java SE Subscription covers Java 7 for customers on extended support windows, but this is rarely relevant unless an organisation is actively paying Oracle for Java 7 patches.

For organisations that have never paid Oracle anything for Java 7 and are running 7u80 or earlier, the strict licensing position is that they are within the original free-use terms. However, the operational exposure from running a 10-year-old JDK without any patching is severe.

"Running Java 7u80 without Oracle support is technically within the original licence. Running any later update without a subscription is not. Most organisations cannot tell you which update they are on."

Java 7 Summary

  • Last free public release: 7u80 (April 2015)
  • Subsequent updates: require Oracle Premier Support or Extended Support contract
  • Active enforcement: low for standalone Java 7; higher when tied to other Oracle products
  • Migration recommendation: move off Java 7 immediately

Java 8: The Most Commercially Significant Legacy Version

Java 8 is where Oracle's commercial enforcement is at its most active for legacy versions. The key date is January 2019, and the key update number is 8u202.

What Is Free in Java 8

Oracle Java SE 8 Update 202 and all prior updates were released under the Oracle Binary Code Licence Agreement, which permitted free use in commercial environments. An organisation running 8u202 or earlier in production has no obligation to pay Oracle anything — provided it obtained that version legitimately and is not downloading newer updates.

This is a genuine free-use entitlement that Oracle has not revoked. The BCL terms for those updates remain in force.

What Requires a Subscription in Java 8

Beginning with Java SE 8 Update 211 (8u211), released in April 2019, Oracle changed the licence terms to the Oracle Technology Network (OTN) Licence Agreement. The OTN licence permits personal use, development, testing, and prototyping at no charge. Production use requires an active Oracle Java SE Subscription.

Any organisation running 8u211, 8u221, 8u231, or any later 8 update in production without an active subscription is outside Oracle's terms. Oracle's licence management services (LMS) and Global Licensing and Advisory Services (GLAS) teams routinely identify this gap through deployment scripts and software asset management (SAM) tool outputs.

Java 8 and the 2023 Employee Model

Since January 2023, Oracle's Java SE Universal Subscription replaced the old processor-based and Named User Plus metrics with an employee headcount model. Organisations buying or renewing a Java SE Subscription today — including to cover production use of Java 8 — are quoted on the basis of their total employee count, not the number of Java installations.

This frequently produces cost increases of 700% or more versus the original processor-based pricing. A company with 5,000 employees paying $15 per employee per month (the entry-level tier) faces an annual Java bill of $900,000 — regardless of whether Java runs on five servers or five hundred.

Unsure which Java 8 update your organisation is running?

Redress Compliance runs independent Java estate assessments. We identify your exact version exposure before Oracle does.
Get an Assessment

Java 8 Summary

  • Free for commercial use: 8u202 and earlier (BCL licence)
  • Requires subscription: 8u211 and later in production (OTN licence)
  • Current subscription metric: employee-based (Java SE Universal Subscription)
  • Oracle support escalation: 8% per year — budget accordingly
  • Enforcement risk: high — Java 8 is Oracle's most audited Java version

Java 11: Licence Change at First Release

Java 11 was released in September 2018 as the first long-term support (LTS) release following Java 8. Unlike Java 8, there was no period of free commercial use for Oracle JDK 11. From the very first Oracle JDK 11 release, Oracle applied the OTN Licence Agreement, which prohibits production use without a subscription.

This is a critical and frequently misunderstood point: organisations that migrated from Java 8 to Java 11 assuming they were moving to a "free" version were mistaken — at least when using Oracle's own JDK distribution.

The Distinction Between Oracle JDK 11 and OpenJDK 11

The Java 11 confusion arises partly because OpenJDK 11 — the community build of the reference implementation — is available under the GNU General Public Licence (GPL) with a classpath exception, which permits commercial use without payment. Oracle distributes two things:

  • Oracle JDK 11: OTN licence. Production use requires a subscription.
  • Oracle's OpenJDK build (openjdk.java.net): GPL licence. Free for production use.

The functional difference between the two was minor from Java 12 onwards (Oracle aligned the feature sets), but the licence difference is material. If an organisation downloaded "Java 11" from oracle.com/downloads, they almost certainly obtained the OTN-licenced Oracle JDK, not the GPL-licenced OpenJDK build. This distinction is exactly what Oracle audit teams test for.

Java 11 Support Timeline

Java 11 is an LTS release. Oracle provides Premier Support through September 2026 and Extended Support through 2032 — but both require an active subscription. Organisations running Oracle JDK 11 without paying are exposed on two fronts: licensing compliance and the absence of security patches.

Java 11 Summary

  • Oracle JDK 11 (from oracle.com): requires subscription for production use from first release
  • Oracle's OpenJDK build (openjdk.java.net): free under GPL for production use
  • Premier Support: through September 2026 (subscription required)
  • Extended Support: through 2032 (subscription required)
  • Audit exposure: high — many organisations don't know which build they downloaded

Java 17 and Later: NFTC Introduces Genuine Free Use

From Java 17 onwards, Oracle introduced the No-Fee Terms and Conditions (NFTC) licence, which permits production and commercial use of Oracle JDK at no charge — but only for the specific version covered. Oracle JDK 17 is free for production use. Oracle JDK 21 (LTS, released September 2023) is also covered by NFTC.

The catch is that NFTC free use applies only while the version is in its standard support period. Once Oracle designates a version as requiring extended support, paid subscriptions re-enter the picture for organisations that need continued patching. For most organisations on Java 17 or 21, this is a concern for the mid-to-late 2020s, but it is worth factoring into long-term planning.

How Oracle Detects Legacy Java Usage

Oracle uses several mechanisms to identify unlicensed Java deployments. Understanding these is essential for any organisation assessing its exposure:

  • LMS scripts: Oracle's licence management scripts, when used in audits, scan operating systems for installed JDK versions and update numbers.
  • SAM tool integrations: Third-party software asset management tools (ServiceNow, Flexera, Snow) report Java inventories. Oracle has used data from SAM tool partners in licence reviews.
  • Oracle support interactions: If an organisation logs a support request referencing a Java version, Oracle may use that as evidence in a licence discussion.
  • Product dependencies: Oracle middleware (WebLogic, ADF, E-Business Suite) bundles Java. Audits of those products frequently surface the underlying JDK version.
"The most dangerous Java deployment is not the one you know about — it is the one bundled inside an application server that nobody has reviewed in five years."

Practical Steps to Assess Your Legacy Java Exposure

Regardless of which legacy version your organisation runs, the following steps reduce exposure before Oracle identifies it first:

  1. Run a full Java estate inventory. Identify every JDK and JRE installation across servers, desktops, containers, and embedded systems. Include application-bundled JDKs.
  2. Record the exact update number. For Java 8, the update number determines whether a licence is required. 8u201 and 8u202 are free; 8u211 onward is not.
  3. Identify the source of the download. Oracle JDK downloads carry OTN terms. Adoptium, Amazon Corretto, Azul Zulu, and Red Hat OpenJDK builds carry GPL terms.
  4. Map Java to products. Identify which applications depend on which JDK. This is essential for planning a migration away from Oracle distributions.
  5. Engage an independent adviser. If Oracle has initiated a licence review or audit, do not respond without independent advice. Oracle's GLAS teams are experienced negotiators.

OpenJDK Alternatives: The Practical Path Off Oracle

For organisations seeking to exit Oracle Java commercial licensing, several mature, enterprise-grade OpenJDK distributions are available. These are built from the same source code as Oracle JDK and pass Oracle's Technology Compatibility Kit (TCK) tests:

  • Eclipse Temurin (Adoptium): Community-maintained, free, LTS releases available
  • Amazon Corretto: Free, AWS-supported, includes long-term security patches
  • Azul Platform Core (Zulu): Free community builds; paid support available
  • Red Hat OpenJDK: Included in Red Hat Enterprise Linux subscriptions
  • Microsoft Build of OpenJDK: Free, targeted at Azure and Windows environments

In most enterprise environments, migrating from Oracle JDK to one of these distributions is a low-risk, high-value exercise. The JDKs are functionally equivalent for the vast majority of Java workloads. Redress Compliance has worked with clients saving six and seven figures annually by making this transition.

What Happens If Oracle Audits Your Legacy Java

If Oracle identifies unlicensed production use of Java 8 (post-8u202) or Oracle JDK 11, it will typically open a licence review through GLAS. The initial contact is usually framed as a "true-up" or "compliance exercise," but it is effectively the opening position of a commercial negotiation.

Oracle will calculate a back-dated licence obligation using the current employee-based pricing — not the processor pricing that was in place when the usage began. It will also apply the standard 8% annual support escalation retroactively. These calculations routinely produce claims that are five to ten times the forward-looking subscription cost.

Organisations that engage proactively — before Oracle raises the issue — consistently achieve better outcomes. Options include demonstrating a credible migration plan, negotiating a limited-scope subscription, or leveraging the OpenJDK transition as a walk-away alternative to force Oracle to moderate its claim.

Redress Compliance provides Oracle Java audit defence services for organisations at every stage of the licence review process.

Key Takeaways

  • Java 6 and 7: last publicly free updates are 6u45 and 7u80 respectively; later updates require Oracle support contracts
  • Java 8: free through 8u202; production use of 8u211 or later requires an active Oracle Java SE Subscription
  • Oracle JDK 11: subscription required for production use from the first release — there was no free commercial period
  • Java 17 and 21: free for production use under NFTC during the standard support window
  • Oracle support escalates at 8% per year — any back-dated claim grows quickly
  • OpenJDK alternatives from Adoptium, Amazon, Azul, and Red Hat are mature, compatible, and avoid Oracle commercial licensing entirely

Need clarity on your legacy Java exposure?

Redress Compliance delivers independent Java estate assessments and negotiation support. Buyer-side only. No Oracle relationship to protect.
Speak to an Advisor