We usually update Java when there's a JSS update available.As for the Java Cryptography Extension (JCE), they HAVE to match the version of Java installed or else the JSS will fail to start.
We currently rely on https://launchpad.net/~webupd8team/ archive/ubuntu/java to provide Oracle JDK 8.
There is work underway to bring Open JDK 8, too, but I'm not sure when it'll have 8u40.
(By bundling, I mean we extract a copy of the JRE in our installation directory--we don't install the JRE and configure it as the system default.) The problem is, it's a hassle having to keep that JRE up-to-date because first we have to retest everything to make sure the update didn't break anything (it has broken some of our third-party dependencies in the past).
How seriously, if at all, are we putting our customers at risk if we don't update our SDK/JDK and the runtime/JRE that we bundle with our product every time there's a security update?
When looking at the JCE page on Oracle's Java site ( it doesnt appear that the JCE files are In fact, it appears to still be the same JCE files I installed back in October. also - When you patch the Java JDK on your JSS servers, do you just run the updates from the Java control panel (Win) & Pref Pane (Mac)- or do you actually download and install the full JDK installer again?