Executive Summary
Avis Car Rental received an aggressive Oracle Java SE audit demand for $4.7M in historical non-compliance and future subscription costs. The claim was built on fundamental data errors, misinterpretation of licensing scope, and the inclusion of non-Oracle Java installations and third-party bundled distributions.
Through a structured five-phase defence strategy—independent Java deployment audit, virtualisation footprint optimisation, third-party and entitlement review, environment remediation, and expert negotiation—Redress Compliance enabled Avis to eliminate the entire $4.7M claim without payment. Oracle withdrew the claim in full after reviewing the corrected data and defence position.
Beyond the immediate financial outcome, the engagement delivered lasting governance improvements that protect Avis against future Oracle Java exposure across its global IT environment.
The Challenge: A $4.7M Oracle Java Audit Demand
In late 2024, Avis Car Rental's IT and procurement teams received notification of an Oracle Java SE licensing audit. Oracle's audit team had deployed scanning tools across Avis's global environment and flagged approximately 1,175 Java installations requiring licence coverage. Oracle's preliminary audit position:
| Item | Oracle Position |
|---|---|
| Oracle's preliminary claim | $4.7M (historical non-compliance + forward subscription) |
| Key Oracle arguments | Per-VM licensing for virtualised environments; indirect Java usage; embedded Java in custom/third-party systems |
| Oracle's proposed resolution | Immediate multi-million dollar payment or long-term enterprise Java subscription |
What IT Leaders Should Do Now — When a Java Audit Arrives
Control the information flow from day one: Oracle's audit team will request broad access and extensive data. Share only what your contract requires. Have every data submission reviewed by independent experts before delivery.
Challenge virtualisation claims immediately: If Oracle claims per-VM Java licensing, challenge the basis. Java licensing generally follows Oracle's Processor metric tied to physical hosts, not individual VMs.
Identify third-party embedded Java early: Catalogue every Java installation that was deployed by a third-party vendor's software. These are typically covered under the vendor's Oracle redistribution agreement.
Don't accept the settlement framing: Oracle positions the audit as a binary choice: pay the claim or buy a subscription. In reality, the claim itself is negotiable—and often largely or entirely eliminable.
Phase 1: Java Deployment Audit—Separating Oracle Java from the Rest
The first phase was a comprehensive audit of every Java installation across Avis's global IT environment—distinguishing Oracle's commercial Java from open-source alternatives, legacy free-use versions, and third-party bundled distributions.
The advisory team deployed independent scanning tools (separate from Oracle's scripts) to inventory every Java binary across Avis's infrastructure—servers, virtual machines, kiosk devices, desktops, and developer workstations. For each installation, they documented: Java version and build number, distributor (Oracle JDK, Oracle JRE, OpenJDK, Amazon Corretto, Adoptium, vendor-bundled), installation date, whether the Java process was actively running or merely installed, and the application or service using the Java runtime.
| Java Category | Installations | Oracle Licence Required? | Action |
|---|---|---|---|
| Oracle JDK (post-April 2019, production) | ~110 servers | Potentially—requires analysis | Evaluated against entitlements and VM containment |
| OpenJDK / Corretto / Adoptium | ~150 systems | No—open-source, free | Documented as non-Oracle; removed from scope |
| Oracle JDK (pre-April 2019, legacy) | ~65 servers | No—covered under legacy BCL | Version evidence documented; removed from scope |
| Java bundled with third-party apps | ~120 systems | No—vendor redistribution | Vendor agreements documented; removed from scope |
| Kiosk/counter Java (Oracle JRE) | ~300 devices | Potentially—depends on version | Migrated to OpenJDK; Oracle JRE removed |
| Desktop Java (corporate endpoints) | ~400 desktops | Potentially—triggers headcount pricing | Oracle JRE removed; OpenJDK deployed where needed |
| Java in Oracle product bundles | ~30 servers | No—covered under existing Oracle licences | Documented as entitled; removed from scope |
The independent discovery immediately demonstrated that Oracle's claim was built on a fundamentally overcounted base. Of the ~1,175 Java installations Oracle's scripts had flagged, approximately 765 (65%) were either non-Oracle Java, pre-April 2019 legacy versions, third-party vendor-bundled distributions, or Java covered under existing Oracle product entitlements. These installations should never have been included in Oracle's compliance claim.
Phase 2: Virtualisation Footprint Optimisation—Defeating Per-VM Claims
The second phase targeted Oracle's virtualisation-specific claims—a significant component of the $4.7M demand. Oracle's audit team asserted that each virtual machine running Java SE required its own licence allocation. In Avis's environment, Java was deployed on VMs spread across VMware clusters—meaning Oracle was attempting to count each VM as a separate licensing unit, dramatically inflating the licensing requirement.
Working with Avis's infrastructure team, the advisory team implemented a virtualisation containment strategy for Java workloads. Oracle Java-running VMs were concentrated onto a defined subset of physical hosts using VMware DRS affinity rules and resource pool boundaries. vMotion scope was restricted to prevent Java-bearing VMs from migrating outside the designated hosts.
| Virtualisation Metric | Oracle's Claim (Per-VM) | Contained Position (Per-Host) | Impact |
|---|---|---|---|
| Java-running VMs | ~85 VMs across 14 hosts | Contained to 4 designated hosts | Licensing scope reduced to 4 hosts |
| Licensing units | 85 VMs × per-VM cost | 4 hosts × per-Processor cost | ~80% reduction in VM-related licensing |
| Financial impact | ~$1.5M of the total claim | Covered by existing entitlements + containment | ~$1.5M eliminated |
The advisory team also challenged Oracle's per-VM licensing interpretation on contractual grounds. Oracle's Java SE licence—whether under the legacy BCL or the current NFTC—defines licensing requirements based on Processors—counting physical processors or cores with a core factor, not virtual machines. Oracle's assertion that each VM is a separately licensable unit is an interpretation layered on top of their Partitioning Policy—a unilateral document not necessarily incorporated into Avis's Java licence terms. The combined technical containment and contractual challenge eliminated approximately $1.5M of Oracle's claim.
What IT Leaders Should Do Now—Java Virtualisation Defence
Contain Java workloads on dedicated hosts: Use VMware DRS affinity rules to restrict Java-running VMs to designated physical hosts. This limits licensing scope to those hosts, not the entire cluster.
Challenge per-VM licensing assertions: Oracle's Processor metric is defined as physical processors/cores, not virtual machines. If Oracle claims per-VM licensing, demand contractual justification.
Document your VMware configuration: DRS rules, affinity groups, vMotion boundaries, and resource pools. This evidence is essential for defending against virtualisation-based claims.
Complete containment before responding to Oracle: Implementing host containment proactively demonstrates governance maturity and creates a defensible licensing position.
Phase 3: Third-Party and Entitlement Review—Hidden Coverage
The third phase addressed a critical but frequently overlooked defence vector: Java usage rights that Avis already possessed through third-party vendor agreements and existing Oracle product licences.
A substantial portion of Java installations had been deployed not by Avis's IT team, but by third-party software vendors whose products bundle Java as a runtime dependency. Fleet management software, payment processing systems, telematics integrations, and monitoring tools all shipped with their own Java runtime. Under Oracle's redistribution programme, these vendors obtain redistribution rights that cover their customers' use of the bundled Java. The advisory team contacted each relevant vendor and obtained documentation confirming their Oracle redistribution agreements, removing approximately 120 systems and ~$800K from Oracle's claim.
| Oracle Product | Java Entitlement | Avis Systems Covered |
|---|---|---|
| Oracle WebLogic Server | Java SE included as middleware component | ~12 servers |
| Oracle Database | Java SE included for database Java VM | ~8 servers |
| Oracle Fusion Middleware | Java SE included as platform component | ~6 servers |
| Oracle Forms/Reports | Java SE included for application tier | ~4 servers |
| Total covered | — | ~30 servers already entitled |
The team also reviewed Avis's historical Oracle agreements—going back over a decade—to identify any Java-related entitlements that might have been forgotten. This uncovered legacy Java development licences from earlier Oracle contracts that provided perpetual rights for specific use cases, covering several edge-case installations Oracle had included in their claim.
Phase 4: Remediation—Eliminating Oracle Java Where Possible
In parallel with the entitlement analysis, the advisory team coordinated a rapid Java remediation programme across Avis's global environment—removing Oracle Java where it wasn't essential and migrating to open-source alternatives.
The largest single category was the ~300 kiosk and rental counter devices running Oracle JRE. The advisory team worked with Avis's application team to test and certify Eclipse Adoptium (OpenJDK) as a compatible replacement. All 300 devices were migrated to OpenJDK. Approximately 400 corporate desktops had Oracle JRE uninstalled, and where Java was still needed, Adoptium was deployed as the default. Developer workstations and staging servers were migrated to Amazon Corretto and Eclipse Adoptium.
| Remediation Action | Devices/Systems | Completion | Impact |
|---|---|---|---|
| Kiosk/counter migration → OpenJDK | ~300 devices | 6 weeks | Eliminated largest endpoint category |
| Desktop Oracle JRE removal | ~400 desktops | 4 weeks | Removed headcount pricing basis |
| Dev/staging migration → Corretto/Adoptium | ~35 servers | 3 weeks | Removed dev from compliance scope |
| Non-critical app migration → OpenJDK | ~25 servers | 4 weeks | Further reduced Oracle Java footprint |
| Total remediated | ~760 systems | ~8 weeks | ~85% reduction in Oracle Java installations |
All remediation was completed and documented before the formal audit response—demonstrating to Oracle that Avis was managing its Java environment responsibly and had actively addressed the situation.
Phase 5: Negotiation and Audit Closure—Zero Cost
With the data validated, environment optimised, entitlements mapped, and remediation complete, the advisory team managed the formal negotiation with Oracle's audit team—presenting an evidence-based position that left Oracle no sustainable basis for their claim.
| Oracle Claim Category | Defence | Result |
|---|---|---|
| Non-Oracle Java counted as Oracle ($1.2M) | Independent scan evidence; OpenJDK/Corretto identification; version analysis | Fully eliminated—not Oracle's product |
| Virtualisation per-VM claims ($1.5M) | Host containment via DRS affinity; contractual Processor metric analysis | Fully eliminated—contained to entitled hosts |
| Third-party vendor-bundled Java ($800K) | Vendor redistribution agreements documented | Fully eliminated—vendor's licence responsibility |
| Desktops, kiosks, dev environments ($700K) | Migration to OpenJDK completed and documented | Fully eliminated—Oracle Java removed |
| Remaining servers with Oracle JDK ($500K) | Covered by existing Oracle product entitlements (WebLogic, DB, Middleware) + legacy agreement rights | Fully covered—no new licences required |
| Total: $4.7M | — | $0—entire claim eliminated |
The advisory team managed all communications with Oracle's audit team, presenting the corrected data in a structured, professional format that addressed each finding with supporting evidence. Oracle initially contested several points—particularly the virtualisation containment and the scope of existing product entitlements—but the evidence was comprehensive and difficult to dispute.
After several months of back-and-forth, Oracle agreed to drop the claim entirely. The audit was formally closed with no licence purchases, no subscription commitments, and no financial penalties. The $4.7M demand was fully withdrawn.
"When Oracle told us we owed almost $5 million for Java, we were stunned. Redress Compliance came in and completely changed the outcome. Their deep knowledge of Oracle Java licensing and savvy negotiation skills saved us from paying a single dollar. They gave us a clear strategy to resolve the audit and even helped us future-proof our Java usage. It's expertise we simply didn't have in-house."
— IT Procurement Lead, Avis Car Rental
Long-Term Impact and Governance Improvements
Beyond the immediate $4.7M savings, the engagement delivered lasting governance improvements that protect Avis against future Oracle Java exposure.
| Governance Improvement | Description | Long-Term Impact |
|---|---|---|
| Centralised Java inventory | Quarterly scans; real-time dashboard tracking Oracle vs OpenJDK | Prevents uncontrolled Java accumulation |
| Procurement gate for Oracle JDK | Any Oracle JDK installation requires licensing approval | Stops new Oracle Java exposure at source |
| OpenJDK-first policy | All new deployments default to Adoptium/Corretto | Minimises future Oracle licensing surface |
| Vendor redistribution documentation | All software contracts specify Java bundling and redistribution rights | Prevents third-party Java from creating Oracle exposure |
| VMware-Java change management | Cluster/DRS changes require licensing review | Maintains virtualisation containment |
Avis adopted a formal OpenJDK-first strategy: all new application deployments use Eclipse Adoptium or Amazon Corretto unless Oracle JDK is specifically required for certified compatibility. This policy, combined with the kiosk, desktop, and dev migration completed during the engagement, means Avis's future Oracle Java footprint is minimal—and fully tracked.
Wider Context: Java Audit Defence Results Across Industries
Avis's zero-cost resolution joins a growing portfolio of Java audit defence outcomes demonstrating that Oracle's Java claims are systematically overstated and consistently reducible through expert defence.
| Client | Industry | Oracle Claim | Outcome | Cost |
|---|---|---|---|---|
| Avis Car Rental | Mobility / Rental | $4.7M | Claim withdrawn | $0 |
| Kroger | Retail / Grocery | $20M | Resolved at zero cost | $0 |
| Aegean Airlines | Aviation | $2M | Resolved at zero cost | $0 |
| Java Advisory Services Hub | Cross-Industry | 50M+ | Multiple zero-cost resolutions | — |
The cumulative pattern: over $55M+ in Oracle Java audit claims resolved at zero or near-zero cost. The defence methodology is consistent across every engagement—validate Oracle's data, optimise the Java estate, map entitlements, remediate proactively, and present Oracle with a factual position they cannot sustain.
Action Plan: Defending Against Oracle Java Audits
Whether you're a global mobility company like Avis or any enterprise with Oracle Java installations, here is the action plan that consistently delivers results.
| # | Action | Timing | Expected Impact |
|---|---|---|---|
| 1 | Inventory all Java installations globally. Use endpoint management tools to catalogue every Java version, distributor, and deployment context. Distinguish Oracle JDK from OpenJDK, Corretto, Adoptium, and vendor-bundled Java. | Immediate | Establishes your actual Java position; identifies Oracle overcounting |
| 2 | Remove Oracle Java from all desktops, kiosks, and endpoints. Replace with Eclipse Adoptium or Amazon Corretto. This eliminates Oracle's basis for enterprise headcount pricing. | Within 30 days | Removes the largest category of installations from scope |
| 3 | Contain Java workloads in VMware. Use DRS affinity rules to restrict Java-running VMs to designated physical hosts. Document configuration and maintain vMotion logs. | Within 30 days | Defeats per-VM and full-cluster licensing claims |
| 4 | Document all third-party vendor-bundled Java. Contact vendors whose software includes Java runtime. Obtain redistribution agreement confirmation. Add Java bundling clauses to all new software contracts. | Within 60 days | Removes vendor-bundled Java from your licensing obligation |
| 5 | Map remaining Oracle Java to existing product entitlements. Review WebLogic, Database, Middleware, EBS, and other Oracle product licences for Java SE bundling rights. | Within 60 days | Demonstrates existing coverage for remaining installations |
| 6 | Implement a Java governance policy. OpenJDK by default; Oracle JDK requires procurement approval; quarterly automated scans; vendor Java documentation requirements. | Ongoing | Prevents future Java exposure from accumulating |
| 7 | If Oracle contacts you—engage Java audit expertise immediately. The first data submission and response shape the entire audit outcome. | When triggered | Controls the audit trajectory; maximises claim reduction or elimination |