Java Runtime Environment (JRE) version 8 STIG for Unix

The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.

Details

Version / Release: V1R3

Published: 2017-09-27

Updated At: 2018-09-23 19:16:38

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-81211r1_rule JRE8-UX-000010 CCI-000366 MEDIUM Oracle JRE 8 must have a deployment.config file present. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime En
    SV-81399r2_rule JRE8-UX-000020 CCI-000366 MEDIUM Oracle JRE 8 deployment.config file must contain proper keys and values. The deployment.config configuration file contains two keys. The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key contains either a TRUE or FALSE value. If the path spec
    SV-81401r1_rule JRE8-UX-000030 CCI-000366 MEDIUM Oracle JRE 8 must have a deployment.properties file present. By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is repre
    SV-81403r1_rule JRE8-UX-000060 CCI-000366 LOW Oracle JRE 8 must default to the most secure built-in setting. Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked. Unsigned applications could perform numerous ty
    SV-81405r1_rule JRE8-UX-000070 CCI-000366 MEDIUM Oracle JRE 8 must be set to allow Java Web Start (JWS) applications. Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help mitigate the risk of running JWS applications.
    SV-81407r1_rule JRE8-UX-000080 CCI-001695 MEDIUM Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority. Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validat
    SV-81409r1_rule JRE8-UX-000090 CCI-001695 MEDIUM Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority. Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate
    SV-81411r1_rule JRE8-UX-000100 CCI-000185 MEDIUM Oracle JRE 8 must set the option to enable online certificate validation. Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Onl
    SV-81413r1_rule JRE8-UX-000110 CCI-001169 MEDIUM Oracle JRE 8 must prevent the download of prohibited mobile code. Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote system
    SV-81415r2_rule JRE8-UX-000120 CCI-001774 MEDIUM Oracle JRE 8 must enable the option to use an accepted sites list. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify aut
    SV-81417r1_rule JRE8-UX-000130 CCI-001774 MEDIUM Oracle JRE 8 must have an exception.sites file present. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify aut
    SV-81419r1_rule JRE8-UX-000150 CCI-001991 MEDIUM Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation. A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore,
    SV-81421r1_rule JRE8-UX-000160 CCI-001991 MEDIUM Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting exec
    SV-81423r1_rule JRE8-UX-000170 CCI-002460 MEDIUM Oracle JRE 8 must prompt the user for action prior to executing mobile code. Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Actions enforced before executing mobile code include, for example, prompting users prior to opening email attachments and disabling aut
    SV-81425r1_rule JRE8-UX-000190 CCI-002617 MEDIUM Oracle JRE 8 must remove previous versions when the latest version is installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the
    SV-81427r1_rule JRE8-UX-000180 CCI-002605 HIGH The version of Oracle JRE 8 running on the system must be the most current available. Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.