Java Runtime Environment (JRE) version 8 STIG for Windows

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Java Runtime Environment (JRE) version 8 STIG for Windows

Overview

Version	Date	Finding Count (16)			Downloads
1	2017-06-29 2016-09-27 2017-01-05 2017-01-05 2017-12-21 2017-12-21 2017-12-21 2017-12-21 2017-12-21 2017-12-21 2017-12-21 2017-12-21 2017-12-21	CAT I (High): 1	CAT II (Med): 14	CAT III (Low): 1	Excel	JSON	XML

STIG Description
The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC I - Mission Critical Classified)

Finding ID	Severity	Title	Description
V-66967	High	The version of Oracle JRE 8 running on the system must be the most current available.	Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the JRE can introduce security vulnerabilities to the system.
V-66947	Medium	Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.	Java Web Start (JWS) applications are the most commonly used. Denying these applications could be detrimental to the user experience. Whitelisting, blacklisting, and signing of applications help...
V-66955	Medium	Oracle JRE 8 must prevent the download of prohibited mobile code.	Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code...
V-66957	Medium	Oracle JRE 8 must enable the option to use an accepted sites list.	Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of...
V-66943	Medium	Oracle JRE 8 must have a deployment.properties file present.	By default no deployment.properties file exists; thus, no system-wide deployment exists. The file must be created. The deployment.properties file is used for specifying keys for the Java Runtime...
V-66951	Medium	Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority.	Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their...
V-66941	Medium	Oracle JRE 8 deployment.config file must contain proper keys and values.	The deployment.config configuration file contains two keys. The "deployment.properties" key includes the path of the "deployment.properties" file and the "deployment.properties.mandatory" key...
V-66953	Medium	Oracle JRE 8 must set the option to enable online certificate validation.	Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent...
V-66723	Medium	Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.	Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found revoked on a CRL or via Online Certificate...
V-66959	Medium	Oracle JRE 8 must have an exception.sites file present.	Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of...
V-66949	Medium	Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority.	Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their...
V-66963	Medium	Oracle JRE 8 must prompt the user for action prior to executing mobile code.	Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Actions enforced before executing mobile code include, for example, prompting...
V-66961	Medium	Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.	A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of...
V-66965	Medium	Oracle JRE 8 must remove previous versions when the latest version is installed.	Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products...
V-66939	Medium	Oracle JRE 8 must have a deployment.config file present.	By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. The file must be created. The deployment.config file is used for specifying the location and...
V-66945	Low	Oracle JRE 8 must default to the most secure built-in setting.	Applications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications...