Table of Contents

Secure Configuration Guide for Oracle JRE 8: Best Practices and Code Examples

In today’s interconnected world, securing software components like the Oracle Java Runtime Environment (JRE) is paramount. The Oracle JRE is integral for running Java applications, yet default configurations can expose systems to vulnerabilities. This guide presents actionable steps to secure Oracle JRE 8, offering code examples and insights for each finding identified in the Security Technical Implementation Guide (STIG). Whether on Windows or Linux, by following these guidelines, you’ll bolster the security of your system and applications.


The Oracle JRE, an indispensable tool for executing Java applications and applets, comes with default settings that may compromise system security. The Security Technical Implementation Guide (STIG) identifies key vulnerabilities and provides solutions for Oracle JRE 8 users. To enhance your understanding and implementation of these solutions, let’s delve into each finding, their importance, and practical code examples.

Automated JRE STIG Script

SimeonOnSecurity has developed an JRE STIG Script you can use. Check it out with the link above.


Keeping Oracle JRE Up to Date (V-66967)

Ensuring the latest version of Oracle JRE is in use is a cornerstone of system security. Regular updates address vulnerabilities and enhance protection. An automated update script can streamline this process, ensuring a consistent and secure environment.



if [[ $(java -version 2>&1 | grep "1.8") ]]; then
    echo "Java version is Oracle JRE 8"
    latest_version=$(curl -s | grep -oP 'JRE-8u\d+' | sort -u | tail -n 1)
    current_version=$(java -version 2>&1 | awk -F '"' '/version/ {print $2}')
    if [[ "$latest_version" != "$current_version" ]]; then
        echo "Updating Java..."
        # Download and install the latest version
        # Add your installation commands here
        echo "Java is up to date."
    echo "Java version is not Oracle JRE 8."

Linux using Ansible

- name: Install Linux Oracle JRE8 if available
    - name: Add PPA repository
        repo: "ppa:webupd8team/java"
        state: present
      when: package_facts.ansible_facts.package_mgr == "apt"
    - name: Install Oracle JRE8 using package manager (apt)
            - "oracle-java8-installer"
            - "default-jre"
            - "default-jdk"
        state: latest
        update_cache: yes
      when: package_facts.ansible_facts.package_mgr == "apt"

Windows with Chocolatey

### install chocolatey
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))

### Install and Update Java
choco install -y jre8
choco update -y jre8

Windows using Ansible

- name: Update Oracle JRE on Windows using Chocolatey
  hosts: windows_hosts
    - name: Install Oracle JRE using Chocolatey
        name: jre8
        state: latest

Creating (V-66943)

For customized Java Runtime Environment configuration, it’s essential to have a file. If it doesn’t exist, create one in a system-wide path for both Windows and Linux:

  • Windows: C:\Windows\Sun\Java\Deployment\ or C:\Program Files\Java\jre1.8.x_x\lib
  • Linux: /usr/lib/jvm/jre-1.8.x_x/lib

See an example of a file.

Configuring deployment.config (V-66941)

For effective management of Java deployment properties, configure the deployment.config file. Set the path to the file in a system-wide location:


See an example of a deployment.config file.

Using an Accepted Sites List (V-66957)

An accepted sites list limits software execution to authorized sources, minimizing potential risks. Implement this by creating an exception.sites file and listing approved sites:

  1. Create a new file named exception.sites in the C:\Windows\Sun\Java\Deployment\ directory on Windows or /usr/lib/jvm/jre-1.8.x_x/lib/security on Linux.
  2. Add each authorized site on a new line.

See an example of a known working configuration for exception.sites .

Implementing Authorized Sites Management (V-66959)

Implementing an authorized sites list through the use of an exception.sites file is crucial. This whitelist-based approach allows only authorized software to execute, effectively limiting the number of applications that can run, thereby reducing risk.

Allowing Java Web Start Applications (V-66947)

Java Web Start (JWS) applications play a pivotal role in the modern computing landscape. To grant permission for these applications, create a file and insert the following:


Preventing Download of Prohibited Mobile Code (V-66955)

Guarding against malicious mobile code downloads is crucial. Configure your file to implement this security measure:

Restricting Execution of Untrusted Signed Content (V-66951)

Enforcing strict execution control for signed content prevents potential security breaches. Use this property in your file:

Enabling Online Certificate Validation (V-66953)

Enhance certificate validation security by enabling online certificate validation. Modify your file with:

Enforcing Publisher Certificate Revocation Checks (V-66723)

To bolster the security of your Oracle JRE 8 environment, lock the option to enable users to check publisher certificates for revocation. Revoked certificates can arise due to improper issuance, certificate compromise, or policy violations. By preventing the use of compromised certificates, you enhance the integrity of your system.

In your file, add the following line:,crl

Implementing Authorized Sites Management (V-66959)

Implementing an authorized sites list through the use of an exception.sites file is crucial. This whitelist-based approach allows only authorized software to execute, effectively limiting the number of applications that can run, thereby reducing risk.

In your file, add the following line:

Disabling Execution from Untrusted Authorities (V-66949)

Enhance your security posture by disabling the dialog that grants permissions to execute signed content from untrusted authorities. This step prevents even signed applets from potentially malicious sources from executing.

In your file, add the following line:

Controlled Execution of Mobile Code (V-66963)

Prompting users for action prior to executing mobile code is essential for preventing unintended execution of potentially harmful code. This added layer of protection ensures that users are aware of and can control the execution process.

Enabling Publisher Certificate Revocation Checks (V-66961)

Enable users to check the revocation status of publisher certificates to prevent the use of compromised certificates. A valid certificate revocation list (CRL) helps maintain the integrity of your Java environment.

Removing Previous Versions (V-66965)

Enhance system security by removing previous versions of Oracle JRE 8 when installing the latest version. By keeping only the latest version, you prevent potential exploitation of known vulnerabilities.

# Manual removal of previous versions required

Configuring deployment.config (V-66939)

Proper configuration of the deployment.config file is vital for effective management of Java deployment properties. This file specifies the location and attributes of the file, ensuring accurate configuration.

Defaulting to Secure Settings (V-66945)

Enhance your system’s security posture by configuring Oracle JRE 8 to default to the most secure built-in settings. By requiring applications to be signed with valid certificates and include specific permissions, you reduce the likelihood of security breaches.

# Configuration through Java Control Panel settings


Protecting your systems against vulnerabilities is an ongoing endeavor. By following these actionable guidelines and implementing code examples for securing Oracle JRE 8, you’ll significantly reduce the risk of potential breaches. Keep in mind that regular updates, controlled execution, and authorized sites are key components of a robust security strategy.