Oracle JRE 8 must set the option to enable online certificate validation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66953	JRE8-WN-000100	SV-81443r2_rule		Medium

Description
Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.

Description

Online certificate validation provides a real-time option to validate a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as “current”, “expired”, or “unknown”. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.

STIG	Date
Java Runtime Environment (JRE) version 8 STIG for Windows	2017-12-21

Details

Check Text ( C-67589r2_chk )
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. \Sun\Java\Deployment\deployment.properties - or - \Lib\deployment.properties If the key "deployment.security.validation.ocsp=true" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.security.validation.ocsp.locked" is not present in the "deployment.properties" file, this is a finding. If the key "deployment.security.validation.ocsp" is set to "false", this is a finding.

Check Text ( C-67589r2_chk )

If the system is on the SIPRNet, this requirement is NA.

Navigate to the system-level "deployment.properties" file for JRE.

\Sun\Java\Deployment\deployment.properties
- or -
\Lib\deployment.properties

If the key "deployment.security.validation.ocsp=true" is not present in the "deployment.properties" file, this is a finding.

If the key "deployment.security.validation.ocsp.locked" is not present in the "deployment.properties" file, this is a finding.

If the key "deployment.security.validation.ocsp" is set to "false", this is a finding.

Fix Text (F-73053r3_fix)
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level "deployment.properties" file for JRE. Add the key "deployment.security.validation.ocsp=true" to the "deployment.properties" file. Add the key "deployment.security.validation.ocsp.locked" to the "deployment.properties" file.