VariantDraft

CWE-382J2EE Bad Practices: Use of System.exit()

Category: other

Description

A J2EE application uses System.exit(), which also shuts down its container. It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.

Common consequences· 1

  • Availability — DoS: Crash, Exit, or Restart

Potential mitigations· 4

  • [Architecture and Design]The shutdown function should be a privileged function available only to a properly authorized administrative user
  • [Implementation]Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
  • [Implementation]Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
  • [Implementation]Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code

References

  1. https://cwe.mitre.org/data/definitions/382.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
J2EE Bad Practices: Direct Use of Sockets
CWE
J2EE Bad Practices: Direct Management of Connections
CWE
J2EE Bad Practices: Direct Use of Threads
CWE
J2EE Framework: Saving Unserializable Objects to Disk
CWE
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
CWE
J2EE Misconfiguration: Plaintext Password in Configuration File
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.