Oracle has made a major change in how Java applications will be supported under Java 11. This short paper explains the differences how Java 8 and Java 11 are implemented, and the major change in the way they are supported from a security, specifically a software update perspective.
Java 8 has two distinct components - a development kit and a runtime environment, referred to as JDK and JRE respectively. Developers use the JDK to develop applications and need the JDK updates to make sure they are working with latest Java security updates for their products. All end users must install and maintain the JRE to run applications that use Java 8. It was up to the end users (or their IT staff) to keep the JRE up-to-date to run the latest Java components and to keep the endpoint secure. An overwhelming number of customers used the JRE updates because there are many more Java users than developers.
Oracle has significantly changed the model with Java 11. There is no longer a JRE. Developers using the Java 11 SDK must now compile into or distribute the needed Java components with their products. The developing vendor is responsible for ensuring the latest security updates are included in their product. Likewise, this vendor is responsible for providing product updates when new Java 11 security updates are released by Oracle. This becomes a DevOps issue as the development team now needs to provide the quarterly updates to resolve any security vulnerabilities. From a patching perspective, the Patch Administrator no longer pushes an update for the JRE. Instead they will need to work with the developers to push an update to that application either as a custom patch or software update.
End users no longer have to worry about Java updates. It is now the responsibility of the developer using Java to ensure the latest updates are included in their products.