CWE-382
J2EE Bad Practices: Use of System.exit()
AI Translation Available
A J2EE application uses System.exit(), which also shuts down its container.
Status
draft
Abstraction
variant
Affected Platforms
Java
Web Based
Web Server
Extended Description
AI Translation
It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.
Technical Details
AI Translation
Common Consequences
availability
Impacts
dos: crash, exit, or restart
Detection Methods
automated static analysis
Potential Mitigations
Phases:
architecture and design
implementation
Descriptions:
•
The shutdown function should be a privileged function available only to a properly authorized administrative user
•
Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
•
Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
•
Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code