Splunk Enterprise Security

Can OpenJDK bundled within Splunk 8.0.1 in splunk-archiver be deleted?

isbjorn
Engager

I recently upgraded Splunk from 7.3 to 8.0.1 and ES correspondlingly. Since doing that, my vulnerability scanner is flagging

{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar and
{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar

as vulnerable.

Can these the directories and files under {splunk-home}/etc/apps/splunk-archiver/java-bin be deleted?

poiromaniax
Explorer

I opened a ticket with Splunk Support about this. Here is the reply:



I have research further on this and found that Splunk removed OpenJDK in 8.0.5. It's only used by DFS. If you're not using DFS, you can delete it in both places, SPLUNK_HOME/bin/jars and SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars

Please find the steps below:



1. Browse to the following directories and remove the .jar files:
- $SPLUNK_HOME/bin/jars
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/

## Only proceed when the above is complete on all splunk instances ##

2. On all SH instances (SH,CM, Deployer, Deployment Server, License Master), delete all existing knowledge bundles from $SPLUNK_HOME/var/run

## Only proceed once step 3 is complete ##

3. On the indexers, delete all existing knowledge bundles from $SPLUNK_HOME/var/run/searchpeers

0 Karma

mw_lt
New Member

I've hot the same issue. The JRE and OpenJDK are not installed system wide via apt.

sudo apt list --installed

does not indicate openjdk is installed.

Vulnerability scanners are picking up the presence of the binaries.

Can someone from Splunk indicate if the files can be deleted ?

0 Karma

janderson42
Loves-to-Learn Everything

Anything new on this I am getting pinged for remediation.

0 Karma

poiromaniax
Explorer

@isbjorn wondering the same thing - did you manage to solve this?

0 Karma

jcleary47
Path Finder

Did you end up doing anything with this? It's getting flagged for us as well...

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...