CWE-382 – J2EE Bad Practices: Use of System.exit()

Read Time:49 Second

Description

A J2EE application uses System.exit(), which also shuts down its container.

It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-705

 

Consequences

Availability: DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Architecture and Design

Description: 

The shutdown function should be a privileged function available only to a properly authorized administrative user

Phase: Implementation

Description: 

Web applications should not call methods that cause the virtual machine to exit, such as System.exit()

Phase: Implementation

Description: 

Web applications should also not throw any Throwables to the application server as this may adversely affect the container.

Phase: Implementation

Description: 

Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code

CVE References