CWE-382
J2EE Bad Practices: Use of System.exit()
Description
A J2EE application uses System.exit(), which also shuts down its container.
It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
DoS: Crash, Exit, or Restart
Potential Mitigations
The shutdown function should be a privileged function available only to a properly authorized administrative user
Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now