How a global car rental company with 20,000+ employees and thousands of locations eliminated a $4.7M Oracle Java SE audit claim entirely — paying zero — through deployment auditing, virtualisation footprint optimisation, third-party entitlement review, and expert Oracle negotiation.
Avis Car Rental (part of Avis Budget Group) is a global automotive and travel services company with over 20,000 employees and thousands of rental locations worldwide. Java technology is deeply embedded in Avis’s operational backbone — powering reservation systems, fleet management platforms, self-service kiosks, customer-facing web applications, and back-end integration services.
When Oracle launched an intensive Java-focused audit, their findings alleged widespread non-compliance. Oracle identified Java on hundreds of servers and desktops, applied their most aggressive licensing interpretations — including per-VM licensing for virtualised environments and retroactive charges for historical usage — and presented a compliance claim of approximately $4.7 million. Oracle’s sales team simultaneously pressured Avis to accept either the full claim or a costly long-term Java SE subscription as a “resolution.”
By engaging Redress Compliance for Java audit defence and advisory services, Avis achieved a complete zero-cost resolution. Oracle withdrew the entire $4.7M claim. No licence purchases. No subscriptions. No penalties.
| Metric | Oracle’s Claim | Actual Outcome | Impact |
|---|---|---|---|
| Total Java Audit Claim | $4,700,000 | $0 | $4.7M saved — 100% reduction |
| Servers Flagged by Oracle | Hundreds (incl. VMs and indirect use) | Majority exempt, covered, or removed | Compliance scope reduced by ~90% |
| Java Subscriptions Required | Enterprise-wide subscription | Zero subscriptions purchased | No recurring Java cost to Oracle |
| Virtualisation-Related Claims | Per-VM licensing demanded | Contained to specific hosts; eliminated | ~$1.5M in VM-related claims removed |
| Third-Party Embedded Java | Counted as Avis’s obligation | Covered under vendor redistribution | ~$800K in third-party claims removed |
Avis’s IT infrastructure supports one of the world’s largest vehicle rental networks. The operational demands — real-time fleet availability across thousands of locations, dynamic pricing, online and kiosk-based reservations, loyalty programme integration, and complex supply chain logistics — require a technology stack built for both scale and reliability. Java has been a core component of that stack for over two decades.
Java SE was deployed across multiple layers of Avis’s technology infrastructure: reservation and booking systems processing millions of bookings annually, fleet management platforms for real-time tracking and vehicle assignment, self-service kiosks and rental counter systems at hundreds of locations, enterprise service bus connecting core systems, and Java JDK/JRE on developer workstations and corporate desktops.
Oracle’s audit focused specifically on Java SE usage — an increasingly common audit vector as Oracle seeks to monetise its Java installed base. Oracle’s Java audit scripts were deployed across Avis’s accessible infrastructure, identifying every Java binary on reachable systems. The preliminary findings claimed $4.7M in non-compliance, encompassing historical usage, current deployments, and projected future subscription costs.
| Audit Element | Details |
|---|---|
| Audit type | Intensive Oracle Java audit (formal scope) |
| Products in scope | Oracle Java SE (JDK and JRE) — all global installations |
| Geographic scope | Global — all Avis locations, data centres, and endpoints |
| Oracle’s preliminary claim | ~$4.7M (historical non-compliance + forward subscription) |
| Key Oracle arguments | Per-VM licensing for virtualised environments; indirect Java usage; embedded Java in custom/third-party systems |
| Oracle’s proposed resolution | Immediate multi-million dollar payment or long-term enterprise Java subscription |
Control the information flow from day one: Oracle’s audit team will request broad access and extensive data. Share only what your contract requires. Have every data submission reviewed by independent experts before delivery.
Challenge virtualisation claims immediately: If Oracle claims per-VM Java licensing, challenge the basis. Java licensing generally follows Oracle’s Processor metric tied to physical hosts, not individual VMs.
Identify third-party embedded Java early: Catalogue every Java installation that was deployed by a third-party vendor’s software. These are typically covered under the vendor’s Oracle redistribution agreement.
Don’t accept the settlement framing: Oracle positions the audit as a binary choice: pay the claim or buy a subscription. In reality, the claim itself is negotiable — and often largely or entirely eliminable.
The first phase was a comprehensive audit of every Java installation across Avis’s global IT environment — distinguishing Oracle’s commercial Java from open-source alternatives, legacy free-use versions, and third-party bundled distributions.
The advisory team deployed independent scanning tools (separate from Oracle’s scripts) to inventory every Java binary across Avis’s infrastructure — servers, virtual machines, kiosk devices, desktops, and developer workstations. For each installation, they documented: Java version and build number, distributor (Oracle JDK, Oracle JRE, OpenJDK, Amazon Corretto, Adoptium, vendor-bundled), installation date, whether the Java process was actively running or merely installed, and the application or service using the Java runtime.
| Java Category | Installations | Oracle Licence Required? | Action |
|---|---|---|---|
| Oracle JDK (post-April 2019, production) | ~110 servers | Potentially — requires analysis | Evaluated against entitlements and VM containment |
| OpenJDK / Corretto / Adoptium | ~150 systems | No — open-source, free | Documented as non-Oracle; removed from scope |
| Oracle JDK (pre-April 2019, legacy) | ~65 servers | No — covered under legacy BCL | Version evidence documented; removed from scope |
| Java bundled with third-party apps | ~120 systems | No — vendor redistribution | Vendor agreements documented; removed from scope |
| Kiosk/counter Java (Oracle JRE) | ~300 devices | Potentially — depends on version | Migrated to OpenJDK; Oracle JRE removed |
| Desktop Java (corporate endpoints) | ~400 desktops | Potentially — triggers headcount pricing | Oracle JRE removed; OpenJDK deployed where needed |
| Java in Oracle product bundles | ~30 servers | No — covered under existing Oracle licences | Documented as entitled; removed from scope |
The independent discovery immediately demonstrated that Oracle’s claim was built on a fundamentally overcounted base. Of the ~1,175 Java installations Oracle’s scripts had flagged, approximately 765 (65%) were either non-Oracle Java, pre-April 2019 legacy versions, third-party vendor-bundled distributions, or Java covered under existing Oracle product entitlements. These installations should never have been included in Oracle’s compliance claim.
The second phase targeted Oracle’s virtualisation-specific claims — a significant component of the $4.7M demand. Oracle’s audit team asserted that each virtual machine running Java SE required its own licence allocation. In Avis’s environment, Java was deployed on VMs spread across VMware clusters — meaning Oracle was attempting to count each VM as a separate licensing unit, dramatically inflating the licensing requirement.
Working with Avis’s infrastructure team, the advisory team implemented a virtualisation containment strategy for Java workloads. Oracle Java-running VMs were concentrated onto a defined subset of physical hosts using VMware DRS affinity rules and resource pool boundaries. vMotion scope was restricted to prevent Java-bearing VMs from migrating outside the designated hosts.
| Virtualisation Metric | Oracle’s Claim (Per-VM) | Contained Position (Per-Host) | Impact |
|---|---|---|---|
| Java-running VMs | ~85 VMs across 14 hosts | Contained to 4 designated hosts | Licensing scope reduced to 4 hosts |
| Licensing units | 85 VMs × per-VM cost | 4 hosts × per-Processor cost | ~80% reduction in VM-related licensing |
| Financial impact | ~$1.5M of the total claim | Covered by existing entitlements + containment | ~$1.5M eliminated |
The advisory team also challenged Oracle’s per-VM licensing interpretation on contractual grounds. Oracle’s Java SE licence — whether under the legacy BCL or the current NFTC — defines licensing requirements based on Processors — counting physical processors or cores with a core factor, not virtual machines. Oracle’s assertion that each VM is a separately licensable unit is an interpretation layered on top of their Partitioning Policy — a unilateral document not necessarily incorporated into Avis’s Java licence terms. The combined technical containment and contractual challenge eliminated approximately $1.5M of Oracle’s claim.
Contain Java workloads on dedicated hosts: Use VMware DRS affinity rules to restrict Java-running VMs to designated physical hosts. This limits licensing scope to those hosts, not the entire cluster.
Challenge per-VM licensing assertions: Oracle’s Processor metric is defined as physical processors/cores, not virtual machines. If Oracle claims per-VM licensing, demand contractual justification.
Document your VMware configuration: DRS rules, affinity groups, vMotion boundaries, and resource pools. This evidence is essential for defending against virtualisation-based claims.
Complete containment before responding to Oracle: Implementing host containment proactively demonstrates governance maturity and creates a defensible licensing position.
The third phase addressed a critical but frequently overlooked defence vector: Java usage rights that Avis already possessed through third-party vendor agreements and existing Oracle product licences.
A substantial portion of Java installations had been deployed not by Avis’s IT team, but by third-party software vendors whose products bundle Java as a runtime dependency. Fleet management software, payment processing systems, telematics integrations, and monitoring tools all shipped with their own Java runtime. Under Oracle’s redistribution programme, these vendors obtain redistribution rights that cover their customers’ use of the bundled Java. The advisory team contacted each relevant vendor and obtained documentation confirming their Oracle redistribution agreements, removing approximately 120 systems and ~$800K from Oracle’s claim.
| Oracle Product | Java Entitlement | Avis Systems Covered |
|---|---|---|
| Oracle WebLogic Server | Java SE included as middleware component | ~12 servers |
| Oracle Database | Java SE included for database Java VM | ~8 servers |
| Oracle Fusion Middleware | Java SE included as platform component | ~6 servers |
| Oracle Forms/Reports | Java SE included for application tier | ~4 servers |
| Total covered | — | ~30 servers already entitled |
The team also reviewed Avis’s historical Oracle agreements — going back over a decade — to identify any Java-related entitlements that might have been forgotten. This uncovered legacy Java development licences from earlier Oracle contracts that provided perpetual rights for specific use cases, covering several edge-case installations Oracle had included in their claim.
In parallel with the entitlement analysis, the advisory team coordinated a rapid Java remediation programme across Avis’s global environment — removing Oracle Java where it wasn’t essential and migrating to open-source alternatives.
The largest single category was the ~300 kiosk and rental counter devices running Oracle JRE. The advisory team worked with Avis’s application team to test and certify Eclipse Adoptium (OpenJDK) as a compatible replacement. All 300 devices were migrated to OpenJDK. Approximately 400 corporate desktops had Oracle JRE uninstalled, and where Java was still needed, Adoptium was deployed as the default. Developer workstations and staging servers were migrated to Amazon Corretto and Eclipse Adoptium.
| Remediation Action | Devices/Systems | Completion | Impact |
|---|---|---|---|
| Kiosk/counter migration → OpenJDK | ~300 devices | 6 weeks | Eliminated largest endpoint category |
| Desktop Oracle JRE removal | ~400 desktops | 4 weeks | Removed headcount pricing basis |
| Dev/staging migration → Corretto/Adoptium | ~35 servers | 3 weeks | Removed dev from compliance scope |
| Non-critical app migration → OpenJDK | ~25 servers | 4 weeks | Further reduced Oracle Java footprint |
| Total remediated | ~760 systems | ~8 weeks | ~85% reduction in Oracle Java installations |
All remediation was completed and documented before the formal audit response — demonstrating to Oracle that Avis was managing its Java environment responsibly and had actively addressed the situation.
With the data validated, environment optimised, entitlements mapped, and remediation complete, the advisory team managed the formal negotiation with Oracle’s audit team — presenting an evidence-based position that left Oracle no sustainable basis for their claim.
| Oracle Claim Category | Defence | Result |
|---|---|---|
| Non-Oracle Java counted as Oracle ($1.2M) | Independent scan evidence; OpenJDK/Corretto identification; version analysis | Fully eliminated — not Oracle’s product |
| Virtualisation per-VM claims ($1.5M) | Host containment via DRS affinity; contractual Processor metric analysis | Fully eliminated — contained to entitled hosts |
| Third-party vendor-bundled Java ($800K) | Vendor redistribution agreements documented | Fully eliminated — vendor’s licence responsibility |
| Desktops, kiosks, dev environments ($700K) | Migration to OpenJDK completed and documented | Fully eliminated — Oracle Java removed |
| Remaining servers with Oracle JDK ($500K) | Covered by existing Oracle product entitlements (WebLogic, DB, Middleware) + legacy agreement rights | Fully covered — no new licences required |
| Total: $4.7M | — | $0 — entire claim eliminated |
The advisory team managed all communications with Oracle’s audit team, presenting the corrected data in a structured, professional format that addressed each finding with supporting evidence. Oracle initially contested several points — particularly the virtualisation containment and the scope of existing product entitlements — but the evidence was comprehensive and difficult to dispute.
After several months of back-and-forth, Oracle agreed to drop the claim entirely. The audit was formally closed with no licence purchases, no subscription commitments, and no financial penalties. The $4.7M demand was fully withdrawn.
“When Oracle told us we owed almost $5 million for Java, we were stunned. Redress Compliance came in and completely changed the outcome. Their deep knowledge of Oracle Java licensing and savvy negotiation skills saved us from paying a single dollar. They gave us a clear strategy to resolve the audit and even helped us future-proof our Java usage. It’s expertise we simply didn’t have in-house.”
— IT Procurement Lead, Avis Car Rental
Beyond the immediate $4.7M savings, the engagement delivered lasting governance improvements that protect Avis against future Oracle Java exposure.
| Governance Improvement | Description | Long-Term Impact |
|---|---|---|
| Centralised Java inventory | Quarterly scans; real-time dashboard tracking Oracle vs OpenJDK | Prevents uncontrolled Java accumulation |
| Procurement gate for Oracle JDK | Any Oracle JDK installation requires licensing approval | Stops new Oracle Java exposure at source |
| OpenJDK-first policy | All new deployments default to Adoptium/Corretto | Minimises future Oracle licensing surface |
| Vendor redistribution documentation | All software contracts specify Java bundling and redistribution rights | Prevents third-party Java from creating Oracle exposure |
| VMware-Java change management | Cluster/DRS changes require licensing review | Maintains virtualisation containment |
Avis adopted a formal OpenJDK-first strategy: all new application deployments use Eclipse Adoptium or Amazon Corretto unless Oracle JDK is specifically required for certified compatibility. This policy, combined with the kiosk, desktop, and dev migration completed during the engagement, means Avis’s future Oracle Java footprint is minimal — and fully tracked.
Avis’s zero-cost resolution joins a growing portfolio of Java audit defence outcomes demonstrating that Oracle’s Java claims are systematically overstated and consistently reducible through expert defence.
| Client | Industry | Oracle Claim | Outcome | Cost |
|---|---|---|---|---|
| Avis Car Rental | Mobility / Rental | $4.7M | Claim withdrawn | $0 |
| Kroger | Retail / Grocery | $20M | Resolved at zero cost | $0 |
| Illinois Manufacturing | Manufacturing | $5.3M | Resolved | Minimal |
| World Kinect | Energy / Logistics | $5M | Claim withdrawn | $0 |
| Mercy Health | Healthcare | $4M | Resolved at zero cost | $0 |
| Crown Equipment | Manufacturing | $4M | Resolved at zero cost | $0 |
| Aegean Airlines | Aviation | $2M | Resolved at zero cost | $0 |
| CSAA Insurance | Insurance | $1.5M | Resolved at zero cost | $0 |
| Swedish Manufacturing | Manufacturing | $5M | $5M saved | Minimal |
The cumulative pattern: over $55M+ in Oracle Java audit claims resolved at zero or near-zero cost. The defence methodology is consistent across every engagement — validate Oracle’s data, optimise the Java estate, map entitlements, remediate proactively, and present Oracle with a factual position they cannot sustain.
Whether you’re a global mobility company like Avis or any enterprise with Oracle Java installations, here is the action plan that consistently delivers results.
| # | Action | Timing | Expected Impact |
|---|---|---|---|
| 1 | Inventory all Java installations globally. Use endpoint management tools to catalogue every Java version, distributor, and deployment context. Distinguish Oracle JDK from OpenJDK, Corretto, Adoptium, and vendor-bundled Java. | Immediate | Establishes your actual Java position; identifies Oracle overcounting |
| 2 | Remove Oracle Java from all desktops, kiosks, and endpoints. Replace with Eclipse Adoptium or Amazon Corretto. This eliminates Oracle’s basis for enterprise headcount pricing. | Within 30 days | Removes the largest category of installations from scope |
| 3 | Contain Java workloads in VMware. Use DRS affinity rules to restrict Java-running VMs to designated physical hosts. Document configuration and maintain vMotion logs. | Within 30 days | Defeats per-VM and full-cluster licensing claims |
| 4 | Document all third-party vendor-bundled Java. Contact vendors whose software includes Java runtime. Obtain redistribution agreement confirmation. Add Java bundling clauses to all new software contracts. | Within 60 days | Removes vendor-bundled Java from your licensing obligation |
| 5 | Map remaining Oracle Java to existing product entitlements. Review WebLogic, Database, Middleware, EBS, and other Oracle product licences for Java SE bundling rights. | Within 60 days | Demonstrates existing coverage for remaining installations |
| 6 | Implement a Java governance policy. OpenJDK by default; Oracle JDK requires procurement approval; quarterly automated scans; vendor Java documentation requirements. | Ongoing | Prevents future Java exposure from accumulating |
| 7 | If Oracle contacts you — engage Java audit expertise immediately. The first data submission and response shape the entire audit outcome. | When triggered | Controls the audit trajectory; maximises claim reduction or elimination |
Through a five-phase defence: (1) independent Java deployment audit identifying 65% of Oracle’s flagged installations as non-Oracle, legacy, or vendor-bundled; (2) virtualisation footprint optimisation containing Java to 4 designated hosts, eliminating $1.5M in per-VM claims; (3) third-party entitlement review removing $800K in vendor-bundled Java; (4) migration of 760 kiosks, desktops, and dev systems to OpenJDK; (5) mapping remaining servers to existing Oracle product entitlements. Oracle withdrew the entire claim.
Oracle’s Java licensing uses the Processor metric, which counts physical processors/cores — not virtual machines. Oracle frequently asserts per-VM licensing during audits, but this interpretation is based on their Partitioning Policy, which may not be part of your specific licence terms. Containing Java VMs to designated physical hosts via DRS affinity rules limits licensing scope to those hosts.
Generally no. Software vendors who bundle Java runtime with their products obtain redistribution rights from Oracle that cover their customers’ use. If a vendor’s product ships with Java, the vendor’s redistribution agreement typically covers your use. Obtain documentation from your vendors confirming their redistribution rights and present this during any audit.
Since January 2023, Oracle’s Java SE Universal Subscription is priced at approximately $15 per employee per month for the entire organisation. This model is designed to be Oracle’s default pricing for enterprise Java. However, it’s avoidable by removing Oracle Java from desktop endpoints and demonstrating that Java usage is limited to specific servers — or eliminating Oracle Java entirely through migration to OpenJDK.
Very common — across Java audit engagements, Oracle’s preliminary findings contain errors affecting 30–65% of the claimed scope. Errors include double-counting systems, including decommissioned servers, misidentifying OpenJDK as Oracle JDK, and counting vendor-bundled Java as the customer’s licensing obligation. Independent data validation is essential.
Yes. Oracle WebLogic Server, Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, and other products include rights to use Java SE as a component. Oracle’s audit process doesn’t automatically credit these entitlements — you must identify and assert them with supporting ordering documents.
In most cases, no. Kiosk and counter-top devices can typically run OpenJDK alternatives (Adoptium, Corretto) without any functional impact. Migrating these devices to open-source Java eliminates a large volume of Oracle Java installations and significantly reduces audit exposure — as demonstrated in Avis’s case with 300 devices migrated.
Typically 3–9 months from engagement to audit closure. The timeline includes data validation (2–4 weeks), remediation (4–8 weeks), entitlement analysis (2–4 weeks), and negotiation with Oracle (2–4 months). Well-prepared defences with completed remediation tend to resolve faster.
Eclipse Adoptium (Temurin), Amazon Corretto, Red Hat OpenJDK, Azul Zulu, and IBM Semeru are the most widely adopted. All are free, functionally equivalent to Oracle JDK, receive regular security updates, and are suitable for production use. They carry no Oracle licensing obligation.
Redress provides end-to-end Java audit defence: independent deployment auditing, virtualisation containment strategy, third-party entitlement documentation, remediation planning and execution support, and direct negotiation with Oracle LMS. All fixed-fee, 100% vendor-independent. Track record: $55M+ in Java audit claims resolved at zero or near-zero cost.