A web application should not make calls to System.exit() or Runtime.exit(). Even if it is "dead" code, or has no permission to shut down the Java Virtual Machine, the code is probably leftover debug code, or code left from a non-J2EE application.

Vulnerability and risk

System.exit() and Runtime.exit() can shut down the Java Virtual Machine. This might lead to a Denial of Service attack.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Calls to System.exit() and Runtime.exit() should be removed. An appropriate error handling should be implemented.

Example 1

16     public void doPost(HttpServletRequest request,
17                        HttpServletResponse response) throws IOException,
18                                                             ServletException {
19         doProcessRequest(request, response);
20     }
21     public void doGet(HttpServletRequest request,
22                       HttpServletResponse response) throws IOException,
23                                                            ServletException {
24         doProcessRequest(request, response);
25     }
26     // called from servlet
27     private void doProcessRequest(HttpServletRequest request,
28                                   HttpServletResponse response) throws IOException,
29                                                                        ServletException {
30         if ("shutdown".equals(request.getParameter("action"))) {
31             System.exit(1);
32         }
33         doCreatePage(request, response);
34         // ...
35     }

SV.UMC.EXIT is reported for call on line 31: 'java.lang.System.exit()' method call should not be used in servlets code