I recently upgraded Splunk from 7.3 to 8.0.1 and ES correspondlingly. Since doing that, my vulnerability scanner is flagging
{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar and
{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar
as vulnerable.
Can these the directories and files under {splunk-home}/etc/apps/splunk-archiver/java-bin be deleted?
I opened a ticket with Splunk Support about this. Here is the reply:
I have research further on this and found that Splunk removed OpenJDK in 8.0.5. It's only used by DFS. If you're not using DFS, you can delete it in both places, SPLUNK_HOME/bin/jars and SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars
Please find the steps below:
1. Browse to the following directories and remove the .jar files:
- $SPLUNK_HOME/bin/jars
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/
## Only proceed when the above is complete on all splunk instances ##
2. On all SH instances (SH,CM, Deployer, Deployment Server, License Master), delete all existing knowledge bundles from $SPLUNK_HOME/var/run
## Only proceed once step 3 is complete ##
3. On the indexers, delete all existing knowledge bundles from $SPLUNK_HOME/var/run/searchpeers
I've hot the same issue. The JRE and OpenJDK are not installed system wide via apt.
sudo apt list --installed
does not indicate openjdk is installed.
Vulnerability scanners are picking up the presence of the binaries.
Can someone from Splunk indicate if the files can be deleted ?
Anything new on this I am getting pinged for remediation.
@isbjorn wondering the same thing - did you manage to solve this?
Did you end up doing anything with this? It's getting flagged for us as well...