Title

Java software on production web servers must be limited to class files and the JAVA virtual machine. (Cat III impact)

Discussion

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

Check Content

Search the web content and scripts directories (found in check WG290) for .java and .jpp files. If either file type is found, this is a finding. Note: Executables such as java.exe, jre.exe, and jrew.exe are permitted.

Fix Text

Remove the appropriate files from the web server.

Additional Identifiers

Rule ID: SV-33143r1_rule

Vulnerability ID: V-2265

Group Title: WG490

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.