Java software installed on the production web server will be limited to class files and the JAVA virtual machine.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2265	WG490	SV-2265r7_rule	ECSC-1	Low

Description
From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

Description

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-29979r1_chk )
Search the web content directory and scripts directory for Java code other than .class, .jre, and .jvm. Executables such as java.exe, jre.exe, and jrew.exe are permitted; but .java and .jpp files are not allowed on the production web server. UNIX: Search the web content directory and scripts directory for Java code file other than .class. Use: find / -name .java or find / -name .jpp Windows: Search the web content directory and scripts directory for Java code files other than .class. Use: Start [Right Click] >> Search .java with “look in local hard drives”; find .jpp with “look in local hard drives”. If Java code with a .java or .jpp extensions are found in the web content or scripts directories, this is a finding.

Check Text ( C-29979r1_chk )

Search the web content directory and scripts directory for Java code other than .class, .jre, and .jvm. Executables such as java.exe, jre.exe, and jrew.exe are permitted; but .java and .jpp files are not allowed on the production web server.

UNIX:
Search the web content directory and scripts directory for Java code file other than .class.
Use: find / -name *.java or find / -name *.jpp

Windows:
Search the web content directory and scripts directory for Java code files other than .class.

Use: Start [Right Click] >> Search *.java with “look in local hard drives”; find *.jpp with “look in local hard drives”.

If Java code with a .java or .jpp extensions are found in the web content or scripts directories, this is a finding.

Fix Text (F-26836r1_fix)
Limit Java software installed on the production web server to class files and the JV M.