Vulnerability Protection

Introduction

The JDK is capable of running mission critical applications in all different types of settings, but regardless of what you use your JDK for, it is essential to keep it secure. Doing so can be complicated, as multiple factors contribute to the security of your JDK deployments. The following best practices will help keep your JDK secure.

Keep your JDK Updated with the Latest Oracle Releases

• Download the latest JDK versions.
• You can also automate the download of your JDKs using JDK Script Friendly URLs.
• Review the JDK Installation Guides for more information:

• JDK 25 (LTS)
• JDK 21 (LTS)
• JDK 17 (LTS)
• JDK 11 (LTS)
• JDK 8 (LTS)

Install the Latest Patches to Help Keep Your Software Stack Up to Date

• Updating the JDK is only one step. Ensure that your OS and all associated libraries are up to date also.
• The Oracle Java SE Support Roadmap shows the support lifetimes for all Oracle Java SE versions.
• Oracle provides Certified System Configurations for the following versions:

• JDK 25 (LTS)
• JDK 21 (LTS)
• JDK 17 (LTS)
• JDK 11 (LTS)
• JDK 8 (LTS)

Please note that Oracle does not certify on Operating System versions that are no longer supported by the Operating System provider.

Critical Patch Updates (CPUs)

• Critical Patch Updates, Security Alerts and Bulletins

Never Deploy or Run with JDK Versions that are Outdated or End Of Life

• No vulnerability patches are available for such releases.
• Use monitoring software, such as jcmd, to determine which JDK versions are deployed in your environment. jcmd is a powerful tool capable of reporting release versions of all JDKs that support the jcmd attach mechanism.
• Run jcmd directly from the <JDK_HOME>/bin/ directory to determine all supported JDKs currently running on your system.
• See the jcmd documentation for more information.
• Alternatively, run java -version from the Java directory to check the installed version (whether it is running or not).

Use modern, industy best-practice code for your cryptographic operations

• Keep up to date with the Oracle JRE/JDK Cryptographic Roadmap. This page will help you determine if your applications could be impacted by changes Oracle makes to cryptography provisioning.
• See also the Cryptography page.

Visit the Java Security Resource Center

• The Java Security Resource Center is a useful resource containing resources and links to additional information on topics related to Java Security technology.

Security Alerts

• Critical Patch Updates, Security Alerts and Bulletins
• Common Vulnerabilities and Exposures (CVEs) Mapped to Alerts and Patches