Vulnerability scan still showing Oracle JRE files after an upgrade to Spectrum 10.4

book

Article ID: 143802

calendar_today

Updated On:

Products

CA eHealth CA Spectrum

Issue/Introduction

I upgraded to 10.4 on my non-prod servers and had them scanned. The scan showed Oracle JRE files left over from older Spectrum versions, e.g.:

On the SS servers we are getting the following:

 

The following vulnerable instances of Java are installed on the
remote host :

Path : /opt/CA/spectrum/Java/
Installed version : 1.8.0_172
Fixed version : 1.7.0_241 / 1.8.0_231 / 1.11.0_5 / 1.13.0_1

 

 

Path : /opt/CA/spectrum/Java/
Installed version : 1.8.0_172
Fixed version : 1.7.0_241 / 1.8.0_231 / 1.11.0_5 / 1.13.0_1

 

These files are not present in a fresh install of Spectrum 10.4.x

Why is this happening, even though Spectrum 10 uses AdoptOpenJDK JRE rather than Oracle Java?

Environment

Release : 10.4

Component : Spectrum Core / SpectroSERVER

Resolution

During an upgrade, the old jre does not get removed.  The old JDK will be upgraded on install.