An email being sent by Oracle sales representatives about upcoming critical security updates for Java 8 being only available to licensed users has sparked controversy due to its wording that to some feel like it is an extortion or a scare tactic.
In November 2018, Oracle announced that after January 2019, security updates for Java 8 SE would no longer be available for business or commercial use without an active license.
"Java SE 8 is going through the End of Public Updates process for legacy releases. Oracle will continue to provide free public updates and auto updates of Java SE 8, until at least the end of December 2020 for Personal Users, and January 2019 for Commercial Users.", Oracle explained in an advisory. "Personal Users continue to get free Java SE 8 updates from Oracle at java.com (or via auto update), and Commercial Users continue to get free updates to Java SE 8 from OTN for free under the BCL license. Starting with the April 2019 scheduled quarterly critical patch update, Oracle Customers can access updates to Java SE 8 for commercial use from Oracle through My Oracle Support and via corporate auto update where applicable (Visit My.Oracle Support Note 1439822.1 - All Java SE Downloads on MOS – Requires Support Login)."
In an email received by Alex Rice, founder and CTO of HackerOne, an Oracle Java account manager states that a "non-publicly available, critical patch update for Java 8" would be released on April 16th 2019 and would only be available to customers if they have an active license. It then goes on to say that without these updates installed, it could leave "your server and desktop environment exposed and vulnerable."
While Oracle did previously announce that future updates for Java 8 would only be for paid license holders, Rice felt that the account representative was using this as a scare tactic in order to convince him to purchase a license, especially when it stated that "Java Version 8 or later" would require a license.
Even stranger, Rice told BleepingComputer that HackerOne has "no commercial relationship with Oracle" and that the email "was unexpected".
The full text of the email reads:
This is an important Java functionality and security notice for the 4/16 Critical Release. Hope this finds you well. I am reaching out to make sure you are aware that the first quarterly non-publicly available, critical patch update for Java 8 will be released April 16th. Any non-oracle applications and servers running Java Version 8 or later will require a license in order to continue receiving patches and updates, beyond the release. Without proper licensing in place, patching and updating will not be available, possibly leaving your server and desktop environment exposed and vulnerable. I want to make sure you have the resources and information you need in this transition. If this is something you feel needs to be addressed, please let me know and we can set something up accordingly pending availability.
In response to Rice's tweet about the email, some defended Oracles requirement to have users pay for support on an end of life product. To Rice and others, the email felt more like a ransom demand, extortion attempt, or scare tactic.
BleepingComputer has contacted Oracle with questions regarding this email, but had not heard back at the time of this publication.
Update 3/29/19 6:31 PM EST: Oracle has told BleepingComputer that they are declining comment on this story.