CWE-382
Description
A J2EE application uses System.exit(), which also shuts down its container.
It is never a good idea for a web application to attempt to shut down the application container. Access to a function that can shut down the application is an avenue for Denial of Service (DoS) attacks.
Consequences
Mitigations
The shutdown function should be a privileged function available only to a properly authorized administrative user
Web applications should not call methods that cause the virtual machine to exit, such as System.exit()
Web applications should also not throw any Throwables to the application server as this may adversely affect the container.
Non-web applications may have a main() method that contains a System.exit(), but generally should not call System.exit() from other locations in the code
Detection
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)