After a recent internal security review, we received an alert regarding the official Elasticsearch 8.19.5 Docker image. The report indicates the presence of a vulnerable component — Oracle JRE 25 (jrt-fs.jar).
Here are the details from our scan:
- Elasticsearch version: 8.19.5
- Base JDK: OpenJDK 25 (as bundled in the official image)
- Flagged file: /usr/share/elasticsearch/jdk/lib/jrt-fs.jar
- Detected component: Oracle JRE 25 – Java Runtime Environment
- Alert: "Oracle Java must be removed unless the vendor provides a valid license. In such cases, update the system to the latest version of Azul Java instead."
My understanding is that Elasticsearch uses a bundled OpenJDK distribution, so we’re trying to understand why the scan reports this Oracle JRE reference. Could you please clarify:
-
Is the inclusion of jrt-fs.jar with Oracle JRE metadata expected in the official OpenJDK-based image?
-
Has Elastic verified whether this file (or version metadata) actually poses any security risk?
-
Does Elasticsearch have a valid license in place for this usage?
-
Is there an updated or alternate Elasticsearch Docker image that eliminates this detection?
We want to ensure our deployment of Elasticsearch 8.19.5 remains compliant with internal security requirements and to confirm whether this is a false positive or an issue needing remediation.
Thank you for your help and clarification.
Best regards,
Elex