The core Splunk Enterprise functionality does not use OpenJDK but included the jar to support DFS. If you do not use DFS, the Splunk Enterprise application does not use or load OpenJDK, and the jar does not pose a security risk to your instance. Splunk Enterprise removed OpenJDK in 8.1.0 and later. See https://docs.splunk.com/Documentation/DFS/latest/DFS/InstallationChecklist for more info. However, updating from older versions does not remove it. If you do not use DFS or do not plan to use DFS, regardless of your Splunk version, feel free to delete the file folder in SPLUNK_HOME/bin/jars or SPLUNK_HOME/bin/jars/vendors/java. The jars files in SPLUNK_HOME/etc/apps/splunk_archiver/java-bin/jars propagates from SPLUNK_HOME/bin/jars. In the background and on running the command |archivebuckets forcerun=1, splunkd copies all jar files from /bin/jars to splunk_archiver. However, splunk_archiver does not use OpenJDK and the jar does not pose a threat to your instance. Deleting the file from the main folder and restarting Splunk should delete it from splunk_archiver. Running |archivebuckets forcerun=1 forces the operation. If your environment uses DFS, you can manually update/replace OpenJDK with a newer version. Keep in mind, DFS EOLs in October 2021.
... View more