UCF STIG Viewer Logo

The setting enabling users to configure the check publisher certificates for revocation must be locked.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32831 JRE0030-UX SV-43617r3_rule DCBP-1 Medium
Description
Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate Status Protocol (OCSP) should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. Ensuring users cannot change these settings assures a more consistent security profile. NOTE: The 'JRE' directory in the file path may reflect the specific JRE release installed.
STIG Date
Java Runtime Environment (JRE) version 7 STIG for Unix 2014-12-29

Details

Check Text ( C-41480r13_chk )
If the system is on the SIPRNET, this requirement is NA.

Navigate to the system 'deployment.properties' file for Java, the default location is
/usr/java/jre/lib/deployment.properties.

If the 'deployment.security.validation.crl.locked' key is not present within the deployment.properties file, this is a finding.

If the 'deployment.security.validation.ocsp.locked' key is not present within the deployment.properties file, this is a finding.
Fix Text (F-37120r12_fix)
Navigate to the system 'deployment.properties' file for Java, the default location is
/usr/java/jre/lib/deployment.properties.

Add the 'deployment.security.validation.crl.locked' key to the deployment.properties file.

Add the 'deployment.security.validation.ocsp.locked' key to the deployment.properties file.