Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Java Runtime Environment (JRE) version 8 STIG for Unix

V1R3 · · · Released 27 Oct 2017 · 16 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.
Sort by
b
Oracle JRE 8 must have a deployment.config file present.
CM-6 - Medium - CCI-000366 - V-66721 - SV-81211r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
JRE8-UX-000010
Vuln IDs
  • V-66721
Rule IDs
  • SV-81211r1_rule
By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. Without the deployment.config file, setting particular options for the Java control panel is impossible.
Checks: C-67371r1_chk

Verify a JRE deployment configuration file exists as indicated: /etc/.java/deployment/deployment.config If the configuration file does not exist as indicated, this is a finding.

Fix: F-72821r1_fix

Create a JRE deployment configuration file as indicated: /etc/.java/deployment/deployment.config

b
Oracle JRE 8 deployment.config file must contain proper keys and values.
CM-6 - Medium - CCI-000366 - V-66909 - SV-81399r2_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
JRE8-UX-000020
Vuln IDs
  • V-66909
Rule IDs
  • SV-81399r2_rule
The deployment.config configuration file contains two keys. The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key contains either a TRUE or FALSE value. If the path specified to "deployment.properties" does not lead to a "deployment.properties" file, the value of the “deployment.system.config.mandatory” key determines how JRE will handle the situation. If the value of the "deployment.system.config.mandatory" key is TRUE and if the path to the "deployment.properties" file is invalid, the JRE will not allow Java applications to run. This is the desired behavior.
Checks: C-67545r2_chk

Navigate to the “deployment.config” file for JRE: /etc/.java/deployment/deployment.config The deployment.config file contains two properties: deployment.system.config and deployment.system.config.mandatory. The "deployment.system.config" key points to the location of the deployment.properties file. The location is variable. It can point to a file on the local disk, or a UNC path. The following is an example: “deployment.system.config=/etc/.java/deployment/deployment.properties" If the “deployment.system.config” key does not exist or does not point to the location of the deployment.properties file, this is a finding. If the “deployment.system.config.mandatory” key does not exist or is set to false, this is a finding.

Fix: F-73009r2_fix

Navigate to the “deployment.config” file for JRE: /etc/.java/deployment/deployment.config Add the key “deployment.system.config=<Path to deployment.properties>” to the deployment.config file. The following is an example: “deployment.system.config=/etc/.java/deployment/deployment.properties". Note the use of forward slashes. Add the key “deployment.system.config.mandatory=true” to the deployment.config file.

b
Oracle JRE 8 must have a deployment.properties file present.
CM-6 - Medium - CCI-000366 - V-66911 - SV-81401r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
JRE8-UX-000030
Vuln IDs
  • V-66911
Rule IDs
  • SV-81401r1_rule
By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. Without the deployment.properties file, setting particular options for the Java control panel is impossible.
Checks: C-67547r1_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If there is no file entitled “deployment.properties”, this is a finding.

Fix: F-73011r1_fix

Create the Java deployment properties file “/etc/.java/deployment/deployment.properties”

a
Oracle JRE 8 must default to the most secure built-in setting.
CM-6 - Low - CCI-000366 - V-66913 - SV-81403r1_rule
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
JRE8-UX-000060
Vuln IDs
  • V-66913
Rule IDs
  • SV-81403r1_rule
Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked. Unsigned applications could perform numerous types of attacks on a system.
Checks: C-67549r1_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.security.level=VERY_HIGH” is not present in the deployment.properties file, or is set to “HIGH”, this is a finding. If the key “deployment.security.level.locked” is not present in the deployment.properties file, this is a finding.

Fix: F-73013r1_fix

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add the key “deployment.security.level.locked” to the deployment.properties file.

b
Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.
CM-6 - Medium - CCI-000366 - V-66915 - SV-81405r1_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
JRE8-UX-000070
Vuln IDs
  • V-66915
Rule IDs
  • SV-81405r1_rule
Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help mitigate the risk of running JWS applications.
Checks: C-67551r1_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.webjava.enabled=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.webjava.enabled.locked” is not present in the deployment.properties file, this is a finding.

Fix: F-73015r1_fix

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.webjava.enabled=true” to the deployment.properties file. Add the key “deployment.webjava.enabled.locked” to the deployment.properties file.

b
Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority.
SC-18 - Medium - CCI-001695 - V-66917 - SV-81407r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001695
Version
JRE8-UX-000080
Vuln IDs
  • V-66917
Rule IDs
  • SV-81407r1_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.
Checks: C-67553r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for Java. /etc/.java/deployment/deployment.properties If the key, “deployment.security.askgrantdialog.notinca=false” is not present, this is a finding. If the key, “deployment.security.askgrantdialog.notinca.locked” is not present, this is a finding. If the key “deployment.security.askgrantdialog.notinca” exists and is set to true, this is a finding.

Fix: F-73017r1_fix

If the system is on the SIPRNet, this requirement is NA. Disable the “Allow user to grant permissions to content from an untrusted authority” feature. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.askgrantdialog.notinca=false” to the deployment.properties file. Add the key “deployment.security.askgrantdialog.notinca.locked” to the deployment.properties file.

b
Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority.
SC-18 - Medium - CCI-001695 - V-66919 - SV-81409r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001695
Version
JRE8-UX-000090
Vuln IDs
  • V-66919
Rule IDs
  • SV-81409r1_rule
Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change settings contributes to a more consistent security profile.
Checks: C-67555r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key, “deployment.security.askgrantdialog.show=false” is not present, this is a finding. If the key, “deployment.security.askgrantdialog.show.locked” is not present, this is a finding. If the key “deployment.security.askgrantdialog.show” exists and is set to true, this is a finding.

Fix: F-73019r1_fix

If the system is on the SIPRNet, this requirement is NA. Lock the “Allow user to grant permissions to content from an untrusted authority” feature. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.askgrantdialog.show=false” to the deployment.properties file. Add the key “deployment.security.askgrantdialog.show.locked” to the deployment.properties file.

b
Oracle JRE 8 must set the option to enable online certificate validation.
IA-5 - Medium - CCI-000185 - V-66921 - SV-81411r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
JRE8-UX-000100
Vuln IDs
  • V-66921
Rule IDs
  • SV-81411r1_rule
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.
Checks: C-67557r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.security.validation.ocsp=true” is not present in the deployment.properties file, this is a finding. If the key “deployment.security.validation.ocsp.locked” is not present in the deployment.properties file, this is a finding. If the key “deployment.security.validation.ocsp” is set to “false”, this is a finding.

Fix: F-73021r2_fix

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.validation.ocsp=true” to the deployment.properties file. Add the key “deployment.security.validation.ocsp.locked” to the deployment.properties file.

b
Oracle JRE 8 must prevent the download of prohibited mobile code.
SC-18 - Medium - CCI-001169 - V-66923 - SV-81413r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001169
Version
JRE8-UX-000110
Vuln IDs
  • V-66923
Rule IDs
  • SV-81413r1_rule
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and anti-virus applications).
Checks: C-67559r1_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.security.blacklist.check=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.security.blacklist.check.locked” is not present in the deployment.properties file, this is a finding.

Fix: F-73023r2_fix

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.blacklist.check=true” to the deployment.properties file. Add the key “deployment.security.blacklist.check.locked” to the deployment.properties file.

b
Oracle JRE 8 must enable the option to use an accepted sites list.
CM-7 - Medium - CCI-001774 - V-66925 - SV-81415r2_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001774
Version
JRE8-UX-000120
Vuln IDs
  • V-66925
Rule IDs
  • SV-81415r2_rule
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software can occur either prior to execution or at system startup. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).
Checks: C-67561r2_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.user.security.exception.sites” is not present in the deployment.properties file, this is a finding. If the key “deployment.user.security.exception.sites” is not set to the location of the exception.sites file, this is a finding. An example of a correct setting is: deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites

Fix: F-73025r2_fix

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.user.security.exception.sites=/etc/.java/deployment/exception.sites” to the deployment.properties file.

b
Oracle JRE 8 must have an exception.sites file present.
CM-7 - Medium - CCI-001774 - V-66927 - SV-81417r1_rule
RMF Control
CM-7
Severity
M
CCI
CCI-001774
Version
JRE8-UX-000130
Vuln IDs
  • V-66927
Rule IDs
  • SV-81417r1_rule
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software can occur either prior to execution or at system startup. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).
Checks: C-67563r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the “exception.sites” file for Java: /etc/.java/deployment/exception.sites If the exception.sites file does not exist, it must be created. The exception.sites file is a text file containing single-line URLs for accepted risk sites. If there are no AO approved sites to be added to the configuration, it is acceptable for this file to be blank. If the “exception.sites” file does not exist, this is a finding. If the “exception.sites” file contains URLs that are not AO approved, this is a finding.

Fix: F-73027r2_fix

If the system is on the SIPRNet, this requirement is NA. Create the JRE exception.sites file: No default file exists. A text file named exception.sites, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the deployment.properties file. /etc/.java/deployment/deployment.properties is an example.

b
Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.
IA-5 - Medium - CCI-001991 - V-66929 - SV-81419r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-001991
Version
JRE8-UX-000150
Vuln IDs
  • V-66929
Rule IDs
  • SV-81419r1_rule
A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.
Checks: C-67565r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.security.validation.crl=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.security.validation.crl.locked” is not present in the deployment.properties file, this is a finding.

Fix: F-73029r2_fix

If the system is on the SIPRNet, this requirement is NA. Enable the “Check certificates for revocation using Certificate Revocation Lists (CRL)” option. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.validation.crl=true” to the deployment.properties file. Add the key “deployment.security.validation.crl.locked” to the deployment.properties file.

b
Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.
IA-5 - Medium - CCI-001991 - V-66931 - SV-81421r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-001991
Version
JRE8-UX-000160
Vuln IDs
  • V-66931
Rule IDs
  • SV-81421r1_rule
Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile.
Checks: C-67567r1_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key “deployment.security.revocation.check.locked” is not present, this is a finding.

Fix: F-73031r2_fix

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.security.revocation.check=ALL_CERTIFICATES” to the deployment.properties file. Add the key “deployment.security.revocation.check.locked” to the deployment.properties file.

b
Oracle JRE 8 must prompt the user for action prior to executing mobile code.
SC-18 - Medium - CCI-002460 - V-66933 - SV-81423r1_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
JRE8-UX-000170
Vuln IDs
  • V-66933
Rule IDs
  • SV-81423r1_rule
Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Actions enforced before executing mobile code include, for example, prompting users prior to opening email attachments and disabling automatic execution. This requirement applies to mobile code-enabled software, which is capable of executing one or more types of mobile code.
Checks: C-67569r1_chk

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties If the key “deployment.insecure.jres=PROMPT” is not present in the deployment.properties file, this is a finding. If the key “deployment.insecure.jres.locked” is not present in the deployment.properties file, this is a finding. If the key “deployment.insecure.jres” is set to “NEVER”, this is a finding.

Fix: F-73033r2_fix

Navigate to the system-level “deployment.properties” file for JRE. /etc/.java/deployment/deployment.properties Add the key “deployment.insecure.jres=PROMPT” to the deployment.properties file. Add the key “deployment.insecure.jres.locked” to the deployment.properties file.

b
Oracle JRE 8 must remove previous versions when the latest version is installed.
SI-2 - Medium - CCI-002617 - V-66935 - SV-81425r1_rule
RMF Control
SI-2
Severity
M
CCI
CCI-002617
Version
JRE8-UX-000190
Vuln IDs
  • V-66935
Rule IDs
  • SV-81425r1_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Checks: C-67571r1_chk

Review the system configuration to ensure old versions of JRE have been removed. There are two ways to uninstall Java. Use the method that you used when you installed Java. For example, if you used RPM to install Java, then use the RPM uninstall method. If RPM is installed, first query to ascertain that JRE was installed using RPM. Search for the JRE package by typing: # rpm -qa | grep -i jre If RPM reports a package similar to jre-&lt;version&gt;-fcs, then JRE is installed with RPM. If JRE is not installed using RPM, skip to "Self-extracting file uninstall". To uninstall Java via RPM, type: # rpm -e jre-&lt;version&gt;-fcs Self-extracting file uninstall: 1. Browse folders to ascertain where JRE is installed. Common locations are /usr/java/jre_&lt;version&gt; or opt/jre_nb/jre_&lt;version&gt;/bin/java/ 2. When you have located the directory, you may delete the directory by using the following command: Note: Ensure JRE is not already installed using RPM before removing the directory. # rm -r /&lt;path to jre&gt;/jre&lt;version&gt; Ensure only one instance of JRE is installed on the system. # ps -ef | grep -I jre If more than one instance of JRE is running, this is a finding.

Fix: F-73035r1_fix

Remove previous versions of JRE. RPM uninstall: # rpm -e jre-<version>-fcs Self-extracting file uninstall: # rm -r jre<version> Perform for all out of date instances of JRE.

c
The version of Oracle JRE 8 running on the system must be the most current available.
SI-2 - High - CCI-002605 - V-66937 - SV-81427r1_rule
RMF Control
SI-2
Severity
H
CCI
CCI-002605
Version
JRE8-UX-000180
Vuln IDs
  • V-66937
Rule IDs
  • SV-81427r1_rule
Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.
Checks: C-67573r1_chk

Open a terminal window and type the command: "java -version" sans quotes. The return value should contain Java build information: "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. If the version of Oracle JRE 8 running on the system is out of date, this is a finding.

Fix: F-73037r1_fix

Test applications to ensure operational compatibility with new version of Java. Install latest version of Oracle JRE 8.