...
EXC32-J-EX1: A secure application must also abide by EXC01-J. Do not allow exceptions to transmit sensitive information. In order to follow this rule, an application might find it necessary to catch all exceptions at some 'top' level in order to sanitize (or suppress) them. This is also summarized in this CWEthe CWE entries, CWE 7 and CWE 388.
Risk Assessment
Catching RuntimeException will trap several types of exceptions not intended to be caught. This prevents them from being handled properly.
...
| Wiki Markup |
|---|
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 396|http://cwe.mitre.org/data/definitions/396.html] "Declaration of Catch for Generic Exception", [CWE ID 7|http://cwe.mitre.org/data/definitions/7.html] "J2EE Misconfiguration: Missing Error Handling" |
...
EXC03-J. Try to recover gracefully from system errors 10. Exceptional Behavior (EXC) EXC30-J. Do not exit abruptly from a finally block