Splunk Enterprise Security

Can OpenJDK bundled within Splunk 8.0.1 in splunk-archiver be deleted?


I recently upgraded Splunk from 7.3 to 8.0.1 and ES correspondlingly. Since doing that, my vulnerability scanner is flagging

{splunk-home}/etc/apps/splunk_archiver/java-bin/jars/vendors/java/OpenJDK8U-jre_x64_linux_hotspot_8u212b03/lib/rt.jar and

as vulnerable.

Can these the directories and files under {splunk-home}/etc/apps/splunk-archiver/java-bin be deleted?


I opened a ticket with Splunk Support about this. Here is the reply:

I have research further on this and found that Splunk removed OpenJDK in 8.0.5. It's only used by DFS. If you're not using DFS, you can delete it in both places, SPLUNK_HOME/bin/jars and SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars

Please find the steps below:

1. Browse to the following directories and remove the .jar files:
- $SPLUNK_HOME/bin/jars
- $SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars/

## Only proceed when the above is complete on all splunk instances ##

2. On all SH instances (SH,CM, Deployer, Deployment Server, License Master), delete all existing knowledge bundles from $SPLUNK_HOME/var/run

## Only proceed once step 3 is complete ##

3. On the indexers, delete all existing knowledge bundles from $SPLUNK_HOME/var/run/searchpeers

0 Karma

New Member

I've hot the same issue. The JRE and OpenJDK are not installed system wide via apt.

sudo apt list --installed

does not indicate openjdk is installed.

Vulnerability scanners are picking up the presence of the binaries.

Can someone from Splunk indicate if the files can be deleted ?

0 Karma

Loves-to-Learn Everything

Anything new on this I am getting pinged for remediation.

0 Karma


@isbjorn wondering the same thing - did you manage to solve this?

0 Karma

Path Finder

Did you end up doing anything with this? It's getting flagged for us as well...

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...