Oracle JRE 8 must default to the most secure built-in setting.Īpplications that are signed with a valid certificate and include the permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. The nfig file is used for specifying the location and. Oracle JRE 8 must have a nfig file present.īy default no nfig file exists thus, no system-wide deployment.properties file exists. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Oracle JRE 8 must remove previous versions when the latest version is installed. Certificates may be revoked due to improper issuance, compromise of. Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation.Ī certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. It can execute without explicit action from, or notification to, a user.Īctions enforced before executing mobile code include, for example, prompting. Mobile code can cause damage to the system. Oracle JRE 8 must prompt the user for action prior to executing mobile code.
Oracle JRE 8 must disable the dialog enabling users to grant permissions to execute signed content from an untrusted authority. Oracle JRE 8 must have an exception.sites file present. Therefore, any certificate found revoked on a CRL or via Online Certificate. Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation.Ĭertificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. When enabled, if a certificate is presented, the status of the certificate is requested. Online certificate validation provides a real-time option to validate a certificate. Oracle JRE 8 must set the option to enable online certificate validation. The "deployment.properties" key includes the path of the "deployment.properties" file and the "" key. The nfig configuration file contains two keys. Oracle JRE 8 nfig file must contain proper keys and values. Applet sources considered trusted can have their. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Java applets exist both signed and unsigned. Oracle JRE 8 must lock the dialog enabling users to grant permissions to execute signed content from an untrusted authority. The deployment.properties file is used for specifying keys for the Java Runtime. Oracle JRE 8 must have a deployment.properties file present.īy default no deployment.properties file exists thus, no system-wide deployment exists. Using only authorized software decreases risk by limiting the number of. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Oracle JRE 8 must enable the option to use an accepted sites list. Oracle JRE 8 must prevent the download of prohibited mobile code.ĭecisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Whitelisting, blacklisting, and signing of applications help. Denying these applications could be detrimental to the user experience. Java Web Start (JWS) applications are the most commonly used. Oracle JRE 8 must be set to allow Java Web Start (JWS) applications.
Running an older version of the JRE can introduce security vulnerabilities to the system. Oracle JRE 8 is being continually updated by the vendor in order to address identified security vulnerabilities. The version of Oracle JRE 8 running on the system must be the most current available. Findings (MAC III - Administrative Sensitive) Finding ID
0 kommentar(er)
