What is the issue for users of Oracle Java SE 8 ?
In January 2018, Oracle released a statement that it was extending the end-of-life for Oracle Java SE 8 updates to “at least” January 2019.
With no official update for another extension, we have to assume that we are reaching that cut-off point.
See the Oracle statement in full here: https://blogs.oracle.com/java-platform-group/extension-of-oracle-java-se-8-public-updates-and-java-web-start-support
What does this statement mean for Oracle Java SE 8 end-consumers?
For consumers of Java programs who wish to execute those programs using the Oracle SE JVM 8, there is no issue.
You can continue to do so, still for free, at your own risk. Oracle always recommends you maintain a recent version of the JVM for executing Java programs.
What does this statement mean for corporate consumers?
For corporate consumers, the same applies as to public consumers.
If you are simply executing Java programs, you can continue to do so, for free, at your own risk.
However, if you use the Oracle Java SE 8 to compile Java bytecode (you use the javac program), *and* you wish to receive maintenance updates from Oracle, you will need to pay for a license from Oracle (a subscription if you like).
If you don’t want to pay, then you will not be eligible to receive Oracle Java SE 8 updates past January 2019.
Are there any other options, yes, if you are an SAP customer, you have the option to use the SAP JVM.
If you are not an SAP customer, there are alternative distributions of Java available from third-party projects such as OpenJDK.
More information can be seen here: https://www.azul.com/eliminating-java-update-confusion
What does all of this mean for consumers of the SAP JVM?
In short, there is no real license implication, since the SAP JVM is an entirely separate implementation of Java since 2011 when SAP created it’s own SAP JVM 4. See SAP notes 1495160 & 1920326 for more details.
You will notice that in the SAP notes for SAP JVM, SAP indicate the base Oracle Java patches which have been integrated into the SAP JVM version (see SAP note 2463197 for an example).
The current SAP JVM 8.1 still receives updates, as usual, however, SAP also recommend that you look to move to the latest *supported* version of the SAP JVM for your SAP products.
For those who didn’t know, you should be patching the SAP JVM along with your usual SAP patching and maintenance activities.
See here for a Netweaver stack compatibility overview: https://wiki.scn.sap.com/wiki/display/ASJAVA/SAP+JVM+Netweaver+compatibility+and+Installation
SAP are constantly applying SAP JVM fixes and enhancements. A lot of time these are minor “low” priority issues and timezone changes.
To see what fixes are available for your SAP JVM version, you can search for “SAP JVM” in the SAP Software Download Centre, or alternatively look for SAP notes for component BC-JVM with the title contents containing the words “SAP JVM patch collection”. Example: “2463197 – SAP JVM 8.1 Patch Collection 30 (build 8.1.030).”
There are different methods to apply a SAP JVM update depending on the SAP product you have. Some are simply deployed with SAPCAR, some with SUM and some with “unzip”. Check for SAP notes for your respective SAP product.
As with any software there are sometimes security issues for the SAP JVM.
SAP will issue security notes and include the CVSS score (see 1561103 as an example). These notes should be viewed as critically as you view all SAP security notes and included as part of your “super Tuesday” patching sessions.