Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2265 | WG490 | SV-2265r7_rule | ECSC-1 | Low |
Description |
---|
From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code. |
STIG | Date |
---|---|
Web Server STIG | 2010-10-07 |
Check Text ( C-29979r1_chk ) |
---|
Search the web content directory and scripts directory for Java code other than .class, .jre, and .jvm. Executables such as java.exe, jre.exe, and jrew.exe are permitted; but .java and .jpp files are not allowed on the production web server. UNIX: Search the web content directory and scripts directory for Java code file other than .class. Use: find / -name *.java or find / -name *.jpp Windows: Search the web content directory and scripts directory for Java code files other than .class. Use: Start [Right Click] >> Search *.java with “look in local hard drives”; find *.jpp with “look in local hard drives”. If Java code with a .java or .jpp extensions are found in the web content or scripts directories, this is a finding. |
Fix Text (F-26836r1_fix) |
---|
Limit Java software installed on the production web server to class files and the JV M. |