STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to APACHE 2.2 Site for Windows Security Technical Implementation Guide

V-2265

CAT III (Low)

Java software on production web servers must be limited to class files and the JAVA virtual machine.

Rule ID

SV-33143r1_rule

STIG

APACHE 2.2 Site for Windows Security Technical Implementation Guide

Version

V1R13

CCIs

None

Discussion

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.

Check Content

Search the web content and scripts directories (found in check WG290) for .java and .jpp files.

If either file type is found, this is a finding.

Note: Executables such as java.exe, jre.exe, and jrew.exe are permitted.

Fix Text

Remove the appropriate files from the web server.