We have the vulnerability detected on CARA server on JAVA JRE6. Java 1.6 binaries are just present from the previous CARA 6.4 versions and not being used now. But CARA is pointed to JAVA 1.8 from the server specific.
Release : 6.4
Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER
The paths listed below, has been identified in security scan consisting of JRE6 artifacts residing on system. We will call it as partial false alarm as these artifacts doesn't reflect actual usage of the same on system by any application. However, we will leave it to security policy standards at your end to determine if you want to exclude the mentioned path or not. We will provide details about each path and what possible next action can be taken.
Detail: The above path is pointing to agent artifact which will be used by Release Automation to upgrade agent.
Detail: The above path is pointing to a restoration point, had been created when this system is upgraded in past.
Detail: The above path is a symbolic link to JRE present on the system. This reflect that the agent installed on this OS is not shipped with JRE and rely on JRE present on the system.
Please find possible next action can be taken to eradicate the listed vulnerabilities.