View STIG - Oracle Java Runtime Environment (JRE) Version 8 for Windows Security Technical Implementation Guide V2R1

b

Oracle JRE 8 must have a deployment.config file present.

CM-6 - Medium - CCI-000366 - V-234683 - SV-234683r617446_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

JRE8-WN-000010

Vuln IDs

V-234683
V-66939

Rule IDs

SV-234683r617446_rule
SV-81429

By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. Without the deployment.config file, setting particular options for the Java control panel is impossible. The deployment.config file can be created in either of the following locations: \Sun\Java\Deployment\deployment.config - or - \lib\deployment.config

Checks: C-37868r616105_chk

By default, no "deployment.config" file exists; it must be created. Verify a "deployment.config" configuration file exists in either: <Windows Directory>\Sun\Java\Deployment\deployment.config - or - <JRE Installation Directory>\Lib\deployment.config If the "deployment.config" configuration file does not exist in either of these folders, this is a finding.

Fix: F-37833r616106_fix

By default, no "deployment.config" file exists; a text file must be created. Create a JRE deployment configuration file in either: <Windows Directory>\Sun\Java\Deployment\deployment.config - or - <JRE Installation Directory>\Lib\deployment.config

b

Oracle JRE 8 deployment.config file must contain proper keys and values.

CM-6 - Medium - CCI-000366 - V-234684 - SV-234684r617446_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

JRE8-WN-000020

Vuln IDs

V-234684
V-66941

Rule IDs

SV-234684r617446_rule
SV-81431

The deployment.config configuration file contains two keys. The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key contains either a TRUE or FALSE value. If the path specified to "deployment.properties" does not lead to a "deployment.properties" file, the value of the “deployment.system.config.mandatory” key determines how JRE will handle the situation. If the value of the "deployment.system.config.mandatory" key is TRUE and if the path to the "deployment.properties" file is invalid, the JRE will not allow Java applications to run. This is the desired behavior.

Checks: C-37869r616108_chk

Navigate to the "deployment.config" file for Java: <Windows Directory>\Sun\Java\Deployment\deployment.config - or - <JRE Installation Directory>\Lib\deployment.config The "deployment.config" file contains two properties: deployment.system.config and deployment.system.config.mandatory. The "deployment.system.config" key points to the location of the "deployment.properties" file. The location is variable. It can point to a file on the local disk or a UNC path. The following is an example: "deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties" If the "deployment.system.config" key does not exist or does not point to the location of the "deployment.properties" file, this is a finding. If the "deployment.system.config.mandatory" key does not exist or is set to "false", this is a finding.

Fix: F-37834r616109_fix

Navigate to the "deployment.config" file for JRE. Add the key "deployment.system.config=<Path to deployment.properties>" to the "deployment.config" file. The following is an example: "deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties". Note the use of forward slashes. Add the key "deployment.system.config.mandatory=true" to the "deployment.config" file.

b

Oracle JRE 8 must have a deployment.properties file present.

CM-6 - Medium - CCI-000366 - V-234685 - SV-234685r617446_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

JRE8-WN-000030

Vuln IDs

V-234685
V-66943

Rule IDs

SV-234685r617446_rule
SV-81433

By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. Without the deployment.properties file, setting particular options for the Java control panel is impossible.

Checks: C-37870r616111_chk

Navigate to the system-level "deployment.properties" file for JRE. The location of the "deployment.properties" file is defined in the "deployment.config" file. If there are no files titled "deployment.properties", this is a finding.

Fix: F-37835r616112_fix

Create the JRE "deployment.properties" file: No default file exists. A text file named "deployment.properties", and the directory structure in which it is located, must be manually created. The location must be aligned as defined in the "deployment.config" file. C:\Windows\Java\Deployment\deployment.properties is an example.

a

Oracle JRE 8 must default to the most secure built-in setting.

CM-6 - Low - CCI-000366 - V-234686 - SV-234686r617446_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

JRE8-WN-000060

Vuln IDs

V-234686
V-66945

Rule IDs

SV-234686r617446_rule
SV-81435

Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked. Unsigned applications could perform numerous types of attacks on a system.

Checks: C-37871r616114_chk

Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.level=VERY_HIGH" is not present in the "deployment.properties file", or is set to "HIGH", this is a finding. If the key "deployment.security.level.locked" is not present in the "deployment.properties" file, this is a finding.

Fix: F-37836r616115_fix

Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.level=VERY_HIGH" to the "deployment.properties" file. Add the key "deployment.security.level.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.

CM-6 - Medium - CCI-000366 - V-234687 - SV-234687r617446_rule

RMF Control

CM-6

Severity

M

CCI

CCI-000366

Version

JRE8-WN-000070

Vuln IDs

V-234687
V-66947

Rule IDs

SV-234687r617446_rule
SV-81437

Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help mitigate the risk of running JWS applications.

Checks: C-37872r616117_chk

Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.webjava.enabled=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.webjava.enabled.locked” is not present in the deployment.properties file, this is a finding. Note: If JWS is not enabled, this requirement is NA.

Fix: F-37837r616118_fix

Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.webjava.enabled=true” to the deployment.properties file. Add the key “deployment.webjava.enabled.locked” to the deployment.properties file. Note: If JWS is not enabled, this requirement is NA.

b

Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority.

SC-18 - Medium - CCI-001695 - V-234688 - SV-234688r617446_rule

RMF Control

SC-18

Severity

M

CCI

CCI-001695

Version

JRE8-WN-000080

Vuln IDs

V-234688
V-66949

Rule IDs

SV-234688r617446_rule
SV-81439

Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.

Checks: C-37873r616120_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for Java. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.askgrantdialog.notinca=false" is not present, this is a finding. If the key "deployment.security.askgrantdialog.notinca.locked" is not present, this is a finding. If the key "deployment.security.askgrantdialog.notinca" exists and is set to "true", this is a finding.

Fix: F-37838r616121_fix

If the system is on the SIPRNet, this requirement is NA. Disable the "Allow user to grant permissions to content from an untrusted authority" feature. Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.askgrantdialog.notinca=false" to the "deployment.properties" file. Add the key "deployment.security.askgrantdialog.notinca.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority.

SC-18 - Medium - CCI-001695 - V-234689 - SV-234689r617446_rule

RMF Control

SC-18

Severity

M

CCI

CCI-001695

Version

JRE8-WN-000090

Vuln IDs

V-234689
V-66951

Rule IDs

SV-234689r617446_rule
SV-81441

Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from untrusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. Ensuring users cannot change settings contributes to a more consistent security profile.

Checks: C-37874r616123_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.askgrantdialog.show=false" is not present, this is a finding. If the key "deployment.security.askgrantdialog.show.locked" is not present, this is a finding. If the key "deployment.security.askgrantdialog.show" exists and is set to "true", this is a finding.

Fix: F-37839r616124_fix

If the system is on the SIPRNet, this requirement is NA. Lock the "Allow user to grant permissions to content from an untrusted authority" feature. Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.askgrantdialog.show=false" to the "deployment.properties" file. Add the key "deployment.security.askgrantdialog.show.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must set the option to enable online certificate validation.

IA-5 - Medium - CCI-000185 - V-234690 - SV-234690r617446_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

JRE8-WN-000100

Vuln IDs

V-234690
V-66953

Rule IDs

SV-234690r617446_rule
SV-81443

Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.

Checks: C-37875r616126_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.validation.ocsp=true" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.security.validation.ocsp.locked" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.security.validation.ocsp" is set to "false", this is a finding.

Fix: F-37840r616127_fix

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.validation.ocsp=true" to the "deployment.properties" file. Add the key "deployment.security.validation.ocsp.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must prevent the download of prohibited mobile code.

SC-18 - Medium - CCI-001169 - V-234691 - SV-234691r617446_rule

RMF Control

SC-18

Severity

M

CCI

CCI-001169

Version

JRE8-WN-000110

Vuln IDs

V-234691
V-66955

Rule IDs

SV-234691r617446_rule
SV-81445

Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed, downloaded, or executed on all endpoints (e.g., servers, workstations, and smart phones). This requirement applies to applications that execute, evaluate, or otherwise process mobile code (e.g., web applications, browsers, and anti-virus applications).

Checks: C-37876r616129_chk

Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.blacklist.check=true" is not present in the "deployment.properties" file, or is set to "false", this is a finding. If the key "deployment.security.blacklist.check.locked" is not present in the "deployment.properties" file, this is a finding.

Fix: F-37841r616130_fix

Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.blacklist.check=true" to the "deployment.properties" file. Add the key "deployment.security.blacklist.check.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must enable the option to use an accepted sites list.

CM-7 - Medium - CCI-001774 - V-234692 - SV-234692r617446_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001774

Version

JRE8-WN-000120

Vuln IDs

V-234692
V-66957

Rule IDs

SV-234692r617446_rule
SV-81447

Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software can occur either prior to execution or at system startup. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).

Checks: C-37877r616132_chk

Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.user.security.exception.sites" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.user.security.exception.sites" is not set to the location of the "exception.sites" file, this is a finding. An example of a correct setting is: deployment.user.security.exception.sites=C\:\\Windows\\Sun\\Java\\Deployment\\exception.sites

Fix: F-37842r616133_fix

Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.user.security.exception.sites=C\:\\Windows\\Sun\\Java\\Deployment\\exception.sites" to the "deployment.properties" file.

b

Oracle JRE 8 must have an exception.sites file present.

CM-7 - Medium - CCI-001774 - V-234693 - SV-234693r617446_rule

RMF Control

CM-7

Severity

M

CCI

CCI-001774

Version

JRE8-WN-000130

Vuln IDs

V-234693
V-66959

Rule IDs

SV-234693r617446_rule
SV-81449

Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software can occur either prior to execution or at system startup. This requirement applies to configuration management applications or similar types of applications designed to manage system processes and configurations (e.g., HBSS and software wrappers).

Checks: C-37878r616135_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the “exception.sites” file for Java: The location of the "exception.sites" file is defined in the deployment.properties file. The "exception.sites" file is a text file containing single-line URLs for accepted risk sites. If there are no AO approved sites to be added to the configuration, it is acceptable for this file to be blank. If the “exception.sites” file does not exist, this is a finding. If the “exception.sites” file contains URLs that are not AO approved, this is a finding. Note: DeploymentRuleSet.jar is an acceptable substitute for using exception.sites. Interview the SA to view contents of the "DeploymentRuleSet.jar" file to ensure any AO approved sites are whitelisted.

Fix: F-37843r616136_fix

If the system is on the SIPRNet, this requirement is NA. Create the JRE exception.sites file: No default file exists. A text file named exception.sites, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the deployment.properties file. C:\Windows\Java\Deployment\deployment.properties is an example.

b

Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.

IA-5 - Medium - CCI-001991 - V-234694 - SV-234694r617446_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001991

Version

JRE8-WN-000150

Vuln IDs

V-234694
V-66961

Rule IDs

SV-234694r617446_rule
SV-81451

A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.

Checks: C-37879r616138_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.security.validation.crl=true" is not present in the "deployment.properties" file, or is set to "false", this is a finding. If the key "deployment.security.validation.crl.locked" is not present in the "deployment.properties" file, this is a finding.

Fix: F-37844r616139_fix

If the system is on the SIPRNet, this requirement is NA. Enable the "Check certificates for revocation using If the system is on the SIPRNet, this requirement is NA. Enable the "Check certificates for revocation using Certificate Revocation Lists (CRL)" option. Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.validation.crl=true" to the "deployment.properties" file. Add the key "deployment.security.validation.crl.locked" to the "deployment.properties" file.

b

Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.

IA-5 - Medium - CCI-001991 - V-234695 - SV-234695r617446_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001991

Version

JRE8-WN-000160

Vuln IDs

V-234695
V-66723

Rule IDs

SV-234695r617446_rule
SV-81213

Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile.

Checks: C-37880r616141_chk

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key “deployment.security.revocation.check.locked” is not present, this is a finding.

Fix: F-37845r616142_fix

If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.revocation.check=ALL_CERTIFICATES” to the deployment.properties file. Add the key “deployment.security.revocation.check.locked” to the deployment.properties file.

b

Oracle JRE 8 must prompt the user for action prior to executing mobile code.

SC-18 - Medium - CCI-002460 - V-234696 - SV-234696r617446_rule

RMF Control

SC-18

Severity

M

CCI

CCI-002460

Version

JRE8-WN-000170

Vuln IDs

V-234696
V-66963

Rule IDs

SV-234696r617446_rule
SV-81453

Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Actions enforced before executing mobile code include, for example, prompting users prior to opening email attachments and disabling automatic execution. This requirement applies to mobile code-enabled software, which is capable of executing one or more types of mobile code.

Checks: C-37881r616144_chk

Navigate to the system-level "deployment.properties" file for JRE. <Windows Directory>\Sun\Java\Deployment\deployment.properties - or - <JRE Installation Directory>\Lib\deployment.properties If the key "deployment.insecure.jres=PROMPT" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.insecure.jres.locked" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.insecure.jres" is set to "NEVER", this is a finding.

Fix: F-37846r616145_fix

Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.insecure.jres=PROMPT" to the "deployment.properties" file. Add the key "deployment.insecure.jres.locked" to the "deployment.properties" file.

c

The version of Oracle JRE 8 running on the system must be the most current available.

SI-2 - High - CCI-002605 - V-234697 - SV-234697r617446_rule

RMF Control

SI-2

Severity

H

CCI

CCI-002605

Version

JRE8-WN-000180

Vuln IDs

V-234697
V-66967

Rule IDs

SV-234697r617446_rule
SV-81457

Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.

Checks: C-37882r617345_chk

Open a terminal window and type the command: "java -version" sans quotes. The return value should contain Java build information: "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross-reference the build information on the system with the Oracle Java site to verify the version is supported by the vendor. If the version of Oracle JRE 8 running on the system is unsupported, this is a finding.

Fix: F-37847r617346_fix

Test applications to ensure operational compatibility with new version of Java. Install a supported version of Oracle JRE 8.

b

Oracle JRE 8 must remove previous versions when the latest version is installed.

SI-2 - Medium - CCI-002617 - V-234698 - SV-234698r617446_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

JRE8-WN-000190

Vuln IDs

V-234698
V-66965

Rule IDs

SV-234698r617446_rule
SV-81455

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Checks: C-37883r616150_chk

Review the system configuration to ensure old versions of JRE have been removed. Open the Windows Control Panel, and navigate to "Programs and Features". Ensure only one instance of JRE is in the list of installed software. If more than one instance of JRE is listed, this is a finding. Note: A 32 and 64 bit version of the same instance is acceptable.

Fix: F-37848r616151_fix

Remove previous versions of JRE. Open the Windows Control Panel, and navigate to "Programs and Features". Highlight, and click uninstall on all out of date instances of JRE.

Checks: C-37868r616105_chk

Fix: F-37833r616106_fix

Generate Mitigation Statement:

Checks: C-37869r616108_chk

Fix: F-37834r616109_fix

Generate Mitigation Statement:

Checks: C-37870r616111_chk

Fix: F-37835r616112_fix

Generate Mitigation Statement:

Checks: C-37871r616114_chk

Fix: F-37836r616115_fix

Generate Mitigation Statement:

Checks: C-37872r616117_chk

Fix: F-37837r616118_fix

Generate Mitigation Statement:

Checks: C-37873r616120_chk

Fix: F-37838r616121_fix

Generate Mitigation Statement:

Checks: C-37874r616123_chk

Fix: F-37839r616124_fix

Generate Mitigation Statement:

Checks: C-37875r616126_chk

Fix: F-37840r616127_fix

Generate Mitigation Statement:

Checks: C-37876r616129_chk

Fix: F-37841r616130_fix

Generate Mitigation Statement:

Checks: C-37877r616132_chk

Fix: F-37842r616133_fix

Generate Mitigation Statement:

Checks: C-37878r616135_chk

Fix: F-37843r616136_fix

Generate Mitigation Statement:

Checks: C-37879r616138_chk

Fix: F-37844r616139_fix

Generate Mitigation Statement:

Checks: C-37880r616141_chk

Fix: F-37845r616142_fix

Generate Mitigation Statement:

Checks: C-37881r616144_chk

Fix: F-37846r616145_fix

Generate Mitigation Statement:

Checks: C-37882r617345_chk

Fix: F-37847r617346_fix

Generate Mitigation Statement:

Checks: C-37883r616150_chk

Fix: F-37848r616151_fix

Generate Mitigation Statement: