Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Java Runtime Environment (JRE) version 7 STIG for Windows 7

V1R6 · · · Released 23 Jan 2014 · 10 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.
Digest of Updates vs. V1R5 · 24 Oct 2014 ✎ 2

Comparison against the immediately-prior release (V1R5). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 2

  • V-32829 Medium check The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.
  • V-32902 Medium check A properties file must be present to hold all the keys that establish properties within the Java control panel.
Sort by
b
The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be disabled.
Medium - V-32828 - SV-43638r2_rule
RMF Control
Severity
M
CCI
Version
JRE0001-J72K7
Vuln IDs
  • V-32828
Rule IDs
  • SV-43638r2_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. DCBP-1
Checks: C-41507r5_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key, 'deployment.security.askgrantdialog.notinca=false' is not present, this is a finding. If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding.

Fix: F-37143r6_fix

Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key 'deployment.security.askgrantdialog.notinca' to be 'false'.

b
The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked.
Medium - V-32829 - SV-43639r3_rule
RMF Control
Severity
M
CCI
Version
JRE0010-J72K7
Vuln IDs
  • V-32829
Rule IDs
  • SV-43639r3_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change settings contributes to a more consistent security profile. DCBP-1
Checks: C-41509r5_chk

If the system is on the SIPRNET this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.askgrantdialog.notinca.locked' is not present within the deployment.properties file, this is a finding.

Fix: F-37145r4_fix

Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.askgrantdialog.notinca.locked' to the deployment.properties file.

b
The dialog to enable users to check publisher certificates for revocation must be enabled.
Medium - V-32830 - SV-43640r3_rule
RMF Control
Severity
M
CCI
Version
JRE0020-J72K7
Vuln IDs
  • V-32830
Rule IDs
  • SV-43640r3_rule
A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. DCBP-1
Checks: C-41511r5_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.crl' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.crl' is set to 'false', this is a finding.

Fix: F-37147r6_fix

Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key, 'deployment.security.validation.crl' in the deployment.properties file. Set the value to 'true'.

b
The option to enable users to check publisher certificates for revocation must be locked.
Medium - V-32831 - SV-43641r4_rule
RMF Control
Severity
M
CCI
Version
JRE0030-J72K7
Vuln IDs
  • V-32831
Rule IDs
  • SV-43641r4_rule
Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile. DCBP-1
Checks: C-41513r7_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties file, this is a finding.

Fix: F-37149r6_fix

Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file. Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.

b
The option to enable online certificate validation must be enabled.
Medium - V-32832 - SV-43642r3_rule
RMF Control
Severity
M
CCI
Version
JRE0040-J72K7
Vuln IDs
  • V-32832
Rule IDs
  • SV-43642r3_rule
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. DCBP-1
Checks: C-41515r5_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.ocsp' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.

Fix: F-37151r5_fix

Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key 'deployment.security.validation.ocsp' in the deployment.properties file. Set the value to 'true'.

b
The option to enable online certificate validation must be locked.
Medium - V-32833 - SV-43643r2_rule
RMF Control
Severity
M
CCI
Version
JRE0050-J72K7
Vuln IDs
  • V-32833
Rule IDs
  • SV-43643r2_rule
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings contributes to a more consistent security profile. DCBP-1
Checks: C-41517r5_chk

If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties, this is a finding.

Fix: F-37153r4_fix

Lock the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.

b
The configuration file must contain proper keys and values to deploy settings correctly.
Medium - V-32842 - SV-43646r2_rule
RMF Control
Severity
M
CCI
Version
JRE0060-J72K7
Vuln IDs
  • V-32842
Rule IDs
  • SV-43646r2_rule
This configuration file must hold values of the location of the deployment.properties file as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. DCBP-1
Checks: C-41521r7_chk

Navigate to the deployment.config file: If the deployment.config file does not exist, it must be created. The deployment.config file is a text file containing 2 keys. They are: deployment.system.config = deployment.system.config.mandatory = For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.config. For 64 bit systems you must check both the 64 bit and the 32 bit config files: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config Verify the 'deployment.system.config' key in the deployment.config file is set to the correct path. Note that the characters : and \ must be delimited by a backslash. The path contained in the deployment.config file(s) will depend upon system architecture. The following paths are examples. Drive letters may vary based upon your system. For 32 bit systems the path is: 'file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' For 64 bit systems the paths are: 'file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' 'file:C\:\\Program Files (x86)\\Java\\jre7\\lib\\deployment.properties' Verify the 'deployment.system.config.mandatory' key in the deployment.config file(s) are set to 'false'. If the 'deployment.system.config' key is not set to the correct path and the 'deployment.system.config.mandatory' key is not set to false, this is a finding.

Fix: F-37157r7_fix

If the deployment.config file does not exist, create the file. The deployment.config file is a text file containing 2 keys. They are: deployment.system.config = deployment.system.config.mandatory = On 32-bit systems the deployment config file should be located at: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems there can be 2 locations for the deployment.config file. One is for 32 bit JRE and the other for 64 bit JRE: 64 bit - C:\Program Files\Java\jre7\lib\deployment.config 32 bit - C:\Program Files (x86)\Java\jre7\lib\deployment.config Include the following keys and values in the appropriate deployment.config file based upon your system architecture. If you are running both a 32 bit and a 64 bit JRE, you need to update both deployment.config files. The following are examples, drive letters may vary. 32 bit 'deployment.system.config=file:C\:\\Program Files (x86)\\Java\\jre7\\lib\\deployment.properties' 'deployment.system.config.mandatory=false'. 64 bit 'deployment.system.config=file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' 'deployment.system.config.mandatory=false'.

b
A configuration file must be present to deploy properties for JRE.
Medium - V-32901 - SV-43647r2_rule
RMF Control
Severity
M
CCI
Version
JRE0070-J72K7
Vuln IDs
  • V-32901
Rule IDs
  • SV-43647r2_rule
The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. 64-bit systems require two copies of the file, one for the 64-bit JRE and the other for the 32-bit JRE. Without the deployment.config file, setting particular options for the Java control panel is impossible.DCBP-1
Checks: C-41523r5_chk

On 32-bit systems, verify that one JRE deployment configuration file exists as indicated: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems, verify that two JRE deployment configuration files exist as indicated: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config If the configuration files do not exist as indicated, this is a finding.

Fix: F-37159r5_fix

On 32-bit systems, create a JRE deployment configuration file as indicated: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems, create two JRE deployment configuration files as indicated: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config

b
A properties file must be present to hold all the keys that establish properties within the Java control panel.
Medium - V-32902 - SV-43648r3_rule
RMF Control
Severity
M
CCI
Version
JRE0080-J72K7
Vuln IDs
  • V-32902
Rule IDs
  • SV-43648r3_rule
The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. DCBP-1
Checks: C-41525r5_chk

If the system is on the SIPRNET this requirement is NA. Locate the deployment.properties files. For 32 bit systems the path is: 'C:\Program Files\Java\jre7\lib\deployment.properties' For 64 bit systems there are 2 potential paths as there can be 2 separate JRE's one 32 bit and one 64 bit: 'C:\Program Files\Java\jre7\lib\deployment.properties' 'C:\Program Files (x86)\Java\jre7\lib\deployment.properties' If there are no files entitled 'deployment.properties', this is a finding.

Fix: F-37161r4_fix

Create the Java deployment properties file. The location of this file can vary. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files in order for both runtimes to be affected. C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Create a properties file entitled 'deployment.properties'. At a minimum, the following keys must be present in the deployment.properties file. deployment.security.askgrantdialog.notinca=false deployment.security.askgrantdialog.notinca.locked deployment.security.validation.crl=true deployment.security.validation.crl.locked deployment.security.validation.ocsp=true deployment.security.validation.ocsp.locked

b
The version of the JRE running on the system must be the most current available.
Medium - V-39239 - SV-51124r1_rule
RMF Control
Severity
M
CCI
Version
JRE0090-J72K7
Vuln IDs
  • V-39239
Rule IDs
  • SV-51124r1_rule
The JRE is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.Java applications are runtime version dependant. Applications must be tested to ensure compatability with new Java Runtime version prior to applying upgrades to production environment. Failure to test application functionality with the newest version of JRE could result in undesireable results up to and including partial or full application failure.System AdministratorDCBP-1
Checks: C-46509r5_chk

Open a terminal window and type the command; "java -version" sans quotes. The return value should contain Java build information; "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html

Fix: F-44218r5_fix

Test applications to ensure operational compatability with new version of Java. Install latest version of Java JRE.