Backslash Vulnerability Database J2EE Bad Practices: Use of System.exit()
J2EE Bad Practices: Use of System.exit()
CWE-382
Short description
A J2EE application uses System.exit(), which also shuts down its container.
Extended description
It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.
Best practices to prevent this CWE
Phase: Architecture and Design
Strategy: Separation of Privilege
The shutdown function should be a privileged function available only to a properly authorized administrative user
Phase: Implementation
Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
Phase: Implementation
Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
Phase: Implementation
Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code