Java Runtime Environment (JRE) version 7 STIG for Unix

  • Version/Release: V1R6
  • Published: 2015-12-10
  • Released: 2016-01-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.
b
The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled.
Medium - V-32828 - SV-43596r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0001-UX
Vuln IDs
  • V-32828
Rule IDs
  • SV-43596r2_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.DCBP-1
Checks: C-41457r6_chk

If the system is on the SIPRNET, this requirement is NA. Examine the system 'deployment.properties' file for Java which is located by default at /usr/java/jre/lib/deployment.properties. If the 'deployment.security.askgrantdialog.notinca=false' key is not present, this is a finding. If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding.

Fix: F-37097r6_fix

Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties If the key does not exist, create the 'deployment.security.askgrantdialog.notinca' key and set the value to 'false'. If the key does exist. update the 'deployment.security.askgrantdialog.notinca' key to be a value of 'false'.

b
The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.
Medium - V-32829 - SV-43601r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0010-UX
Vuln IDs
  • V-32829
Rule IDs
  • SV-43601r2_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41463r6_chk

If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Review the file. If the 'deployment.security.askgrantdialog.notinca.locked' key is not present this is a finding.

Fix: F-37103r6_fix

Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Edit the file and add the 'deployment.security.askgrantdialog.notinca.locked' key.

b
The setting for users to check publisher certificates for revocation must be enabled.
Medium - V-32830 - SV-43604r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0020-UX
Vuln IDs
  • V-32830
Rule IDs
  • SV-43604r2_rule
A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41467r8_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl' key is not present, this is a finding. If the 'deployment.security.validation.crl' key is present and set to 'false', this is a finding.

Fix: F-37107r5_fix

Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties Add or update the 'deployment.security.validation.crl' key. Set the value to 'true'.

b
The setting enabling users to configure the check publisher certificates for revocation must be locked.
Medium - V-32831 - SV-43617r3_rule
RMF Control
Severity
Medium
CCI
Version
JRE0030-UX
Vuln IDs
  • V-32831
Rule IDs
  • SV-43617r3_rule
Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41480r13_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the system 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. If the 'deployment.security.validation.crl.locked' key is not present within the deployment.properties file, this is a finding. If the 'deployment.security.validation.ocsp.locked' key is not present within the deployment.properties file, this is a finding.

Fix: F-37120r12_fix

Navigate to the system 'deployment.properties' file for Java, the default location is /usr/java/jre/lib/deployment.properties. Add the 'deployment.security.validation.crl.locked' key to the deployment.properties file. Add the 'deployment.security.validation.ocsp.locked' key to the deployment.properties file.

b
The option to enable online certificate validation must be enabled.
Medium - V-32832 - SV-43618r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0040-UX
Vuln IDs
  • V-32832
Rule IDs
  • SV-43618r2_rule
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41481r8_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Examine the deployment.properties file for the 'deployment.security.validation.ocsp' key. If the 'deployment.security.validation.ocsp' key is not present, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.

Fix: F-37121r6_fix

If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add or update the key 'deployment.security.validation.ocsp' to be 'true'.

b
The option to enable online certificate validation must be locked.
Medium - V-32833 - SV-43619r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0050-UX
Vuln IDs
  • V-32833
Rule IDs
  • SV-43619r2_rule
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings contributes to a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41482r6_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties If the key 'deployment.security.validation.ocsp.locked' is not present, this is a finding.

Fix: F-37122r6_fix

If the system is on the SIPRNET, this requirement is NA. Lock the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. /usr/java/jre/lib/deployment.properties Add the key 'deployment.security.validation.ocsp.locked'.

b
The configuration file must contain proper keys and values to deploy settings correctly.
Medium - V-32842 - SV-43649r1_rule
RMF Control
Severity
Medium
CCI
Version
JRE0060-UX
Vuln IDs
  • V-32842
Rule IDs
  • SV-43649r1_rule
This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.DCBP-1
Checks: C-41526r4_chk

Navigate to the deployment.config file. /usr/java/jre/lib/deployment.config If the configuration file does not contain 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties', this is a finding. If the configuration file does not contain 'deployment.system.config.mandatory=false', this is a finding.

Fix: F-37162r6_fix

Specify the path to the deployment.properties file and set the mandatory configuration values. Navigate to the deployment.config file. /usr/java/jre/lib/deployment.properties Include the following keys in the configuration file: 'deployment.system.config=file:/usr/java/jre/lib/deployment.properties' 'deployment.system.config.mandatory=false'.

b
A configuration file must be present to deploy properties for JRE.
Medium - V-32901 - SV-43621r1_rule
RMF Control
Severity
Medium
CCI
Version
JRE0070-UX
Vuln IDs
  • V-32901
Rule IDs
  • SV-43621r1_rule
The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.DCBP-1
Checks: C-41484r5_chk

Navigate to the lib directory: /usr/java/jre/lib/ If there is no configuration file entitled 'deployment.config', this is a finding.

Fix: F-37124r6_fix

Create a JRE deployment configuration file. Navigate to the lib directory: /usr/java/jre/lib/ Create a configuration file entitled 'deployment.config'.

b
A properties file must be present to hold all the keys that establish properties within the Java control panel.
Medium - V-32902 - SV-43620r2_rule
RMF Control
Severity
Medium
CCI
Version
JRE0080-UX
Vuln IDs
  • V-32902
Rule IDs
  • SV-43620r2_rule
The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed. DCBP-1
Checks: C-41483r6_chk

Navigate to the lib directory: /usr/java/jre/lib/ If there is no properties file entitled 'deployment.properties', this is a finding.

Fix: F-37123r6_fix

Create the Java deployment properties file. Navigate to the lib directory: /usr/java/jre/lib/ Create a properties file entitled 'deployment.properties'.

b
The version of the JRE running on the system must be the most current available.
Medium - V-39239 - SV-51133r1_rule
RMF Control
Severity
Medium
CCI
Version
JRE0090-UX
Vuln IDs
  • V-39239
Rule IDs
  • SV-51133r1_rule
The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.Java applications are runtime version dependant. Applications must be tested to ensure compatability with new Java Runtime version prior to applying upgrades to production environment. Failure to test application functionality with the newest version of JRE could result in undesireable results up to and including partial or full application failure.System AdministratorDCBP-1
Checks: C-46509r5_chk

Open a terminal window and type the command; "java -version" sans quotes. The return value should contain Java build information; "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html

Fix: F-44218r5_fix

Test applications to ensure operational compatability with new version of Java. Install latest version of Java JRE.

c
Java Runtime Environment (JRE) versions that are no longer supported by the vendor for security updates must not be installed on a system.
CM-6 - High - CCI-000366 - V-61037 - SV-75505r2_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
JRE9999-UX
Vuln IDs
  • V-61037
Rule IDs
  • SV-75505r2_rule
Java Runtime Environment (JRE) versions that are no longer supported by Oracle for security updates are not evaluated or updated for vulnerabilities leaving them open to potential attack. Organizations must transition to a supported Java Runtime Environment (JRE) version to ensure continued support.DCSQ-1
Checks: C-61979r2_chk

Oracle support for Java Runtime Environment (JRE) 7 for Unix ended 2015 April. If JRE 7 for Unix is installed on a system, this is a finding. If an extended support agreement providing security patches for the unsupported product is procured from the vendor, this finding may be downgraded to a CAT III.

Fix: F-66777r1_fix

Upgrade Java Runtime Environment (JRE) 7 for Unix software to a supported version.