If a program relies on finalize() to release system resources, or if there is confusion over which part of the program is responsible for releasing system resources, then there exists a possibility for a potential resource leak. In a busy system, there might be a time gap before the finalize() method is called for an object. An attacker might exploit this vulnerability to induce a denial-of-service attack. The recommendation OBJ02-J. Avoid using finalizers has more information on the demerits of using finalizers.
If there is unreleased memory, eventually the The Java garbage collector will be is called to free up unreleased memory. However, if the program relies on nonmemory resources like file descriptors and database connections, unreleased resources might lead the program to prematurely exhaust its pool of resources. In addition, if the program uses resources like Lock or Semaphore, waiting for finalize() to release the resources may lead to resource starvation. Caching of object references in the output stream also implies that the objects will not be garbage collected unless the streams are closed promptly after use.
Noncompliant Code Example
...
In the case above, if an error occurs while executing the statement or while processing the results of the statement, the connection is not closed. A finally block can be used to ensure that the close statements are eventually called.
...