Check: WG490 W22
APACHE SITE 2.0 for Windows:
WG490 W22
(in version v1 r5)
Title
Java software on production web servers must be limited to class files and the JAVA virtual machine. (Cat III impact)
Discussion
From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.
Check Content
Search the web content and scripts directories (found in check WG290) for .java and .jpp files. If either file type is found, this is a finding. Note: Executables such as java.exe, jre.exe, and jrew.exe are permitted.
Fix Text
Remove the appropriate files from the web server.
Additional Identifiers
Rule ID: SV-33143r1_rule
Vulnerability ID: V-2265
Group Title: WG490
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |