Oracle’s Newest Java Audit Demand: Your VMware Topology — And What California Law Says About It

A pattern is appearing in Oracle’s Java licensing enforcement that every in-house counsel with an Oracle footprint needs to understand. On the sales side, at least in some instances, Oracle is offering customers what is, in substance, a two-track choice. Customers willing to subscribe on the new per-employee Java SE Universal Subscription metric can do so without producing information about their virtualization environment. Customers who want to remain on — or return to — Oracle’s legacy Named User Plus or Processor-based Java metrics may be required by Oracle to first disclose extensive data covering the entire VMware farm, not only the servers where Oracle software is installed or actually running. A Java licensing conversation is, in other words, being converted into a VMware full environment disclosure.

The scope of that demand is the tell. Even under the legacy Named User Plus and Processor options, Java compliance is verified by reference to the servers where Oracle Java is actually installed and/or running. When Oracle asks for data about the full virtualized environment — including hosts that do not run Oracle software at all — the data is being collected for a different purpose. This post explains that purpose, why it is dangerous, and the California legal arguments customers can use to push back.

What Oracle Is Asking For

The audit-side of this pattern is now documented in the trade press. Redress Compliance has reported that Java audit letters ask for “a full list of all VMware or other virtualized platform hosts, whether they have Java installed or not”. House of Brick has documented Oracle asking for vCenter exports and cluster configuration data during Java audits and tying those requests back to Oracle’s aggressive position on VMware licensing. And The Register’s 2024 coverage of Java audit letters to Fortune 100 companies signaled the scale of the escalation.

The structure of the choice Oracle is offering customers with meaningful Java dependencies deserves a closer look, because it functions as a Hobson’s choice. Accepting the per-employee metric avoids any VMware inquiry, but it has made Oracle Java dramatically more expensive for most enterprises than the legacy arrangements. Declining that metric in favor of Named User Plus or Processor-based licensing may require the customer to hand over data on the full VMware environment — including hosts that have nothing to do with Oracle software. And walking away from Oracle Java altogether is, for many customers, not a short-term option: a disciplined migration to OpenJDK or another supported distribution takes time, requires engineering and testing work, and introduces business risk that cannot be absorbed on Oracle’s negotiation timeline.

Customers have understandably balked at the VMware-disclosure path. Producing whole-farm topology to Oracle at any stage of a Java engagement raises the risk that the inquiry will expand beyond Java, or that Oracle will use the data to assert compliance claims about other Oracle products running in the same environment — most obviously Oracle Database. That is the subscription-side extension of the pattern we described in “Oracle Java Licensing Enforcement: How ‘Friendly Outreach’ Is Driving Significant Compliance Risk” and in “How Oracle Uses Online Agreements for ‘Free Software’ to Trap Companies”: Oracle’s outreach is not just pre-litigation intake — in some instances it has become pre-audit intake, with the subscription transaction itself used as the lever.

Why It Is Dangerous

The purpose of the VMware request is Oracle’s long-running “soft partitioning” position on database licensing — the whitepaper theory, never codified in customer agreements, that any physical core in a VMware cluster where Oracle software could theoretically run must be fully licensed. Under its more aggressive expressions, according to Oracle, every host connected to the same vCenter, or reachable by vMotion, must be licensed for any Oracle software running anywhere in the environment. For a customer running a modest Oracle Database footprint on a large VMware estate, the resulting compliance gap is often very large.

That position has never been tested in court with a court ruling, and independent specialists have argued forcefully that Oracle’s soft-partitioning theory is inconsistent with how VMware actually works. But the economic pressure to settle rather than litigate is enormous, and Oracle knows it. A customer who hands over complete vCenter topology during a Java audit has, in practical terms, already pre-calculated the database compliance claim Oracle will assert three months later. The Java audit is the delivery vehicle. The database claim is the payload.

California Legal Arguments That Matter

For Oracle customers — many of whom operate under Oracle agreements that select California law by an express choice-of-law provision — California provides a toolkit for pushing back on this conduct. As California lawyers, we are intimately familiar with this toolkit.

The Unfair Competition Law, Business & Professions Code § 17200, is the most flexible and most important of those tools. Section 17200 prohibits any “unlawful, unfair, or fraudulent business act or practice.” The “unfair” prong reaches conduct that violates public policy or causes substantial injury, even where no specific statute has been violated. Conditioning the sale of a Java subscription — priced on a metric entirely unrelated to virtualization — on the customer’s disclosure of VMware topology that will predictably be used to construct a separate, much larger claim appears to fit the “unfair” framework cleanly. Post-Proposition 64, a UCL plaintiff must show actual injury; a customer who paid an inflated subscription price, or who was forced into a database compliance settlement the disclosure made possible, can satisfy that requirement.

The implied covenant of good faith and fair dealing is a second, and often underused, angle. Every California contract includes an implied covenant prohibiting either party from acting to deprive the other of the benefits of the bargain. When Oracle invokes the audit clause from one agreement — an Oracle Master Agreement, a database OLSA, or an OTN license — to extract information whose only function is to build claims under a separate product line, the implied covenant may be available as a basis for a claim. Audit rights exist to verify compliance with the agreement that granted them. Using them as reconnaissance for a different product’s claims is not what the parties agreed to, and California courts take that distinction seriously.

Finally, economic duress. California recognizes the doctrine where one party uses a wrongful act or threat to force another into a transaction it would otherwise refuse, and where the coerced party has no reasonable alternative. Rich & Whillock, Inc. v. Ashton Development, Inc. (1984) 157 Cal.App.3d 1154 remains the foundational authority. The choice Oracle is presenting — an expensive new metric, or a whole-VMware farm disclosure that will foreseeably build claims elsewhere, or abandoning a business-critical platform on an infeasible timeline — fits that framework. Most often the scope of Oracle’s demanded disclosure has no legitimate relationship to the Java transaction, and a customer whose Java dependencies cannot be unwound on Oracle’s timeline has no reasonable alternative. Duress is a particularly valuable defense because it attacks the enforceability of any settlement Oracle later extracts from data produced under coercion.

What To Do When the Pattern Appears

A few practical steps apply whether the demand arrives in a formal audit letter, a GLAS follow-up, or a sales-team email holding up a subscription quote. Stop providing VMware information in any Java communication. Demand in writing that Oracle identify the specific contract clause authorizing the request and the specific Oracle product whose compliance is being verified; if Oracle cannot answer, the request is a fishing expedition. Document any conditioning of a subscription sale on disclosure — that documentation is the foundation of any UCL, implied-covenant, or duress argument later. And involve counsel before information leaves the company. Early, counsel-led responses are the single strongest predictor of a favorable outcome in this pattern.

Closing Thought

The Java audit is increasingly not about Java. Oracle’s enforcement program is a data-gathering operation with a sales objective attached, and the whole-farm VMware demand is the most aggressive expression of that strategy we have yet seen. California law gives customers real tools to resist it — but those tools only work if the customer reaches for them before the data has been delivered.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.