Oracle to end publicly available security fixes for Java 7 this month

Users must sign long-term support deals or migrate to Java 8 to avoid 'enormous headache and disruption to millions of applications'

Formulaone (Creative Commons BY or BY-SA)

Public updates for Java 7 -- including bug and security fixes -- will end this month, a situation that one security advocate says could impact millions of applications.

"As outlined in the Oracle JDK [Java Development Kit] Support Roadmap, after April 2015, Oracle will not post further updates of Java SE [Standard Edition] 7 to its public download sites," Oracle's Java SE Support Roadmap states. "Customers who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 7 or older versions can get long-term support through Oracle Java SE Support. The process of migrating users from Java 7 to Java 8 through the auto update feature is expected to take place after the January 2015 CPU release."

Oracle released Java SE 7 in July 2011; Java SE 8 was released in March 2014. Java, particularly on the client side, has been beset by security issues in recent years. But Oracle has taken many steps to address the issues and stressed that most of the problems dated back several years, before Oracle took over Java from Sun in 2010.

Still, the impact of Oracle's cessation of public updates could be severe, an official at security firm Waratek, believes. Oracle's "rapid" end-of-life schedule for Java versions is great for innovation and language evolution, Waratek CTO John Matthew Holt said in an emailed statement. "However, there is a dangerous tradeoff; now millions of Java 7 applications will have to defend themselves against code-level vulnerabilities without the benefit of future fixes." Holt advocates either upgrades to Java 8 or use of Java Run-time Application Self Protection (RASP) technologies (Waratek is a RASP vendor).

This week's security update from Oracle, meanwhile, marks the "proverbial 'end of the road' for Java 7 application security, Holt said. "After today, the only version of the Java Platform which will receive public security updates is Java 8.  This is huge news, and it is going to cause enormous headache and disruption to millions of application owners around the world."

Contacted Tuesday afternoon for a comment on the end of public updates for Java SE 7, by late evening Oracle had not yet responded.

The April 2015 Critical Patch Update released Tuesday by Oracle provides 98 new fixes for security issues across a wide range of product families, said Eric Maurice in an Oracle blog post. These range from Oracle Database to Oracle Fusion Middleware, Java SE, and MySQL. Fourteen of the security fixes are for Java SE.

Copyright © 2015 IDG Communications, Inc.