Splunk Enterprise Security

Can OpenJDK bundled within Splunk 8.0.1 in splunk-archiver be deleted?

isbjorn
Engager

I recently upgraded Splunk from 7.3 to 8.0.1 and ES correspondlingly. Since doing that, my vulnerability scanner is flagging

{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar and
{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar

as vulnerable.

Can these the directories and files under {splunk-home}/etc/apps/splunk-archiver/java-bin be deleted?

poiromaniax
Explorer

I opened a ticket with Splunk Support about this. Here is the reply:



I have research further on this and found that Splunk removed OpenJDK in 8.0.5. It's only used by DFS. If you're not using DFS, you can delete it in both places, SPLUNK_HOME/bin/jars and SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars

Please find the steps below:



1. Browse to the following directories and remove the .jar files:
- $SPLUNK_HOME/bin/jars
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/

## Only proceed when the above is complete on all splunk instances ##

2. On all SH instances (SH,CM, Deployer, Deployment Server, License Master), delete all existing knowledge bundles from $SPLUNK_HOME/var/run

## Only proceed once step 3 is complete ##

3. On the indexers, delete all existing knowledge bundles from $SPLUNK_HOME/var/run/searchpeers

0 Karma

mw_lt
New Member

I've hot the same issue. The JRE and OpenJDK are not installed system wide via apt.

sudo apt list --installed

does not indicate openjdk is installed.

Vulnerability scanners are picking up the presence of the binaries.

Can someone from Splunk indicate if the files can be deleted ?

0 Karma

janderson42
Loves-to-Learn Everything

Anything new on this I am getting pinged for remediation.

0 Karma

poiromaniax
Explorer

@isbjorn wondering the same thing - did you manage to solve this?

0 Karma

jcleary47
Path Finder

Did you end up doing anything with this? It's getting flagged for us as well...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...