CWE-382: J2EE Bad Practices: Use of System.exit()
A J2EE application uses System.exit(), which also shuts down its container.
Last updated
Overview
It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.
Common consequences
What can happen when CWE-382 is exploited.
DoS: Crash, Exit, or Restart
Affects: Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-382, grouped by where in the lifecycle they apply.
The shutdown function should be a privileged function available only to a properly authorized administrative user
Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Included in the doPost() method defined below is a call to System.exit() in the event of a specific exception.
Vulnerable example
Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: J2EE Bad Practices: System.exit()
- OWASP Top Ten 2004: Denial of Service (A9) — CWE More Specific fit
- The CERT Oracle Secure Coding Standard for Java (2011): Do not allow untrusted code to terminate the JVM (ERR09-J)
- Software Fault Patterns: Use of an improper API (SFP3)
Frequently asked questions
Common questions about CWE-382.
- What is CWE-382?
- A J2EE application uses System.exit(), which also shuts down its container.
- Is CWE-382 part of the OWASP Top 10?
- CWE-382 maps to OWASP Top Ten 2004: Denial of Service (A9) in the OWASP security taxonomy.
- How do you prevent CWE-382?
- The shutdown function should be a privileged function available only to a properly authorized administrative user
- How is CWE-382 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-382?
- Exploiting CWE-382 can lead to: DoS: Crash, Exit, or Restart.
References
- MITRE CWE definition (CWE-382) (opens in a new tab)
- CWE-382 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-382
Get alerted the moment a new CWE-382 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.