Apache Derby End of Life (EOL) Dates & Support Timeline
Complete end-of-life dates, support windows, and security status for all Apache Derby versions. Data sourced from endoflife.date and official vendor documentation. Updated at every deploy.
| Version | Latest Release | Release Date | EOL Date | Days | Status |
|---|---|---|---|---|---|
| 10.15 | 10.15.2.0 | Mar 10, 2019 | Jun 14, 2022 | 1485 days past EOL | EOL |
| 10.16 | 10.16.1.1 | Jun 14, 2022 | Nov 10, 2023 | 971 days past EOL | EOL |
| 10.17 | 10.17.1.0 | Nov 10, 2023 | TBD | Supported | Active |
Apache Derby lifecycle status — the real story
Apache Derby is the pure-Java embedded database that has shipped inside countless enterprise applications (and, as JavaDB, inside the JDK itself for a decade). The Derby community maintains only the most recent release: when 10.17.1.0 shipped in November 2023 it superseded 10.16, and older branches receive no fixes.
Derby's lifecycle trap is Java-version coupling: successive releases raise the minimum JDK aggressively, so applications pinned to older JDKs are structurally stranded on unmaintained Derby branches — 10.15 (2019) and 10.16 (2022) users often cannot move without a platform upgrade.
Release cadence has also slowed dramatically (one release since 2022), so even the "supported" branch ages between fixes. For new embedded-database work the ecosystem has largely moved to H2 or SQLite; existing Derby estates warrant an explicit lifecycle decision rather than drift.
What does Apache Derby end of life mean for your organization?
When a version of Apache Derby reaches end of life, the maintainers stop issuing security patches. Vulnerabilities discovered after this date are publicly disclosed on the National Vulnerability Database, exploit code appears on GitHub, and your systems remain permanently exposed.
The CVE blind spot: Most vulnerability scanners check for known CVEs but do not flag the accumulation of unpatched vulnerabilities in EOL software. With a zero-day, nobody knows about the vulnerability. With EOL software, the vulnerability is public — listed, rated, and often weaponized — but no patch will ever exist. This is the most dangerous gap in enterprise security posture.
Organizations running EOL Apache Derby should treat it as a vulnerability class in their risk register, apply compensating controls (network segmentation, enhanced monitoring, access restriction), and prioritize migration to a supported version.
Extended Support Options
If you cannot migrate immediately, extended support vendors provide continued security patches for EOL Apache Derby versions. This is a bridge, not a permanent solution — plan your migration in parallel.
We work with vetted extended support vendors. Tell us what you need and we'll connect you with the right provider.
Contact Us →