The option to enable users to check publisher certificates for revocation must be locked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32831	JRE0030-J6XP	SV-43216r3_rule	DCBP-1	Medium

Description
A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings contributes to a more consistent security profile.

Description

A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change settings contributes to a more consistent security profile.

STIG	Date
Java Runtime Environment (JRE) 6 STIG for Windows XP	2014-04-04

Details

Check Text ( C-41512r6_chk )
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre6\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre6\lib\deployment.properties C:\Program Files (x86)\Java\jre6\lib\deployment.properties If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding.

Check Text ( C-41512r6_chk )

If the system is on the SIPRNET, this requirement is NA.

Navigate to the 'deployment.properties' file for Java.

For 32 bit systems:
C:\Program Files\Java\jre6\lib\deployment.properties.

For 64 bit systems you must check both the 64 bit and the 32 bit files:
C:\Program Files\Java\jre6\lib\deployment.properties
C:\Program Files (x86)\Java\jre6\lib\deployment.properties

If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding.

Fix Text (F-37148r4_fix)
Lock the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre6\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre6\lib\deployment.properties C:\Program Files (x86)\Java\jre6\lib\deployment.properties Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file.

Fix Text (F-37148r4_fix)

Lock the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option.

Navigate to the 'deployment.properties' file for Java.

For 32 bit systems:
C:\Program Files\Java\jre6\lib\deployment.properties.

For 64 bit systems you must check both the 64 bit and the 32 bit files:
C:\Program Files\Java\jre6\lib\deployment.properties
C:\Program Files (x86)\Java\jre6\lib\deployment.properties

Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file.