Starting April 2019, Oracle no longer provides a free, open-source, commercial version of Oracle Java. This includes Oracle Java SE, JDK, and RE products. The current Oracle Java products received their last free upgrade in April 2019. Oracle Java is leveraged in USGS in many ways, from USGS application servers that are based on java code, to stand alone USGS applications that require customized local Java installations, to 3rd party applications that require locally customized Java to run. Additional information about the future support of this product can be found here.
Previously, Oracle Java, an open source software that does not have licensing costs associated with it, released quarterly upgrades to its products. Oracle Java also used to bundle some OpenJDK products for free, but has now moved to a cost-only model. Starting in April 2019, the 2019Q2 upgrades to Oracle Java will only be available for those that purchase support from Oracle. This means that any Oracle Java installations that do not have paid support, will not be receiving patches for introduced vulnerabilities into the environment.
The Oracle Java Runtime Environment (JRE) application has become a standard installation on most computers in USGS, regardless of whether the system has a direct need for it or not. However, with the lack of current open source security patches and support being provided by the vendor, the future USGS posture requires the removal of Oracle JRE and all other Oracle Java products from systems that do not require it. The goal is to move towards a state where all Oracle Java dependencies are removed from the environment.
On March 26, 2019, DOI approved the use of Amazon Corretto as a Tier 2 – DOI Standard Optional application replacement for localized computer Oracle JRE installations. A Tier 2 application is defined as any application, service or agent that is baselined as a DOI standard, but which is not required and may be optionally installed as appropriate. Installation will be determined by program or business requirements.
The Amazon Corretto product is a bundled installation of the OpenJDK application to support remaining Java needs in the environment. The Department has taken the Amazon Corretto product and applied certificates and environmental variable mapping, just as it was done in previous Oracle JRE applications. Amazon Corretto has been made available for our use in MECM as a 64 or 32 bit application. The source files are located here: \\iinrestcmcas01.doi.net\sccm_source$\DOI\Software\Tier2\Amazon\corretto
DOI is also working to create BigFix Fixlets to support Windows Server, Linux, and MacOS X applications for Amazon Corretto and those will be announced once available. In the meantime, Amazon Corretto installs for non-windows systems can be found here.
Local IT has been working to capture a list of Java Dependencies. While many dependencies have been verified to work with Amazon Corretto, there are a few outstanding items listed.
Starting In April 2019, remaining Oracle Java installations will begin to show as vulnerabilities in the eVMS scan results. As a result, all systems that do not have valid and documented dependencies will need to have Oracle JRE uninstalled and replaced with Amazon Corretto as appropriate. The ePatching team will begin patching Amazon Corretto as a standard quarterly update starting with the 2019 Q2 release in April 2019, but will not take action on removing Oracle Java until June 2019. During the June ePatching cycle, Oracle JRE will be removed from all remaining client systems in USGS that have not been officially captured on the Oracle Exceptions sheet.
Java JRE End of Life Actions
- If you have an application that is Oracle Java RE dependent, please mark it on this sheet to track USGS dependencies to Oracle Java and the status of resolution here
- First test to see if Amazon Corretto can replace your Oracle Java dependency need.
- Second, reach out to the vendor.
- Ask if they if they have an ISV agreement with Oracle to provide Java updates to you to run their product. See the FAQs here.
- Ask them for a new version of their product that embeds Oracle Java RE or works with Amazon Corretto.
- If the vendor will not provide you with a solution, your site will have Java vulnerabilities unless you purchase a license for software updates or remove this application. Licenses will need to be maintained until the Oracle JRE requirement goes away and JRE can be removed from the system.
- If you have to re-install Oracle Java RE, do not go to the web and download. We are not licensed for this product. Please pull a copy of the last licensed version from – \\gs.doi.net\di\SCCM\Sources\Software\Tier4\Oracle\Java\Java08.201.1
- This version will cause an eVMS vulnerability on the system. Your site will have to keep the vulnerability until the vendor either removes the dependency or licensed copy of Oracle Java is purchased. Installing an unlicensed version of Oracle Java to remove the eVMS vulnerability is not an option.
- If you have Oracle Java RE installed on your non-sever system and do not want it uninstalled during the June ePatching cycle, please notate it on this exception sheet here
- LAS/MCU systems – As of December 2019, Java is no longer required for LAS/MCU Systems. For more information see: Reminder: Java no longer required for LAS/MCU systems – USGS Technical Support Teams
DOI/USGS is aware that these systems are running an older version of Java. The vendor is “licensed” for the version that they are including with their updates. Sites should keep LAS/MCU systems updated to the latest approved version. USGS will work to exclude these systems from being marked in the eVMS system. DOI is working on a risk acceptance for the department on these systems. These systems will NOT have java removed from them during the June ePatching cycle. A report of all systems running the USAccess software can be found using the bigfix report “USGS: Installed Software USAccess – Windows” which can be found on the reports page here. If a system is running an old version of the product please either update or remove the software if no longer needed.