It is highly unlikely that a method is built to deal with all possible runtime exceptions; therefore consequently no method should ever catch RuntimeException. If a method catches RuntimeException, it will receive exceptions it was not designed to handle, such as NullPointerException. Many catch clauses simply log or ignore their error, and resume control flow. But runtime exceptions represent a bug in the program that should be fixed by the developer, and almost always lead to control flow vulnerabilities.
...
This code will only catch exceptions intended by the programmer to be caught. A concurrency-based exception will not be caught by this code, and can therefore consequently be managed by code more specifically designed to handle it.
...
| Wiki Markup |
|---|
*EXC32-J-EX1*: A secure application must also abide by [EXC01-J. Do not allow exceptions to transmit sensitive information]. In order to follow this rule, an application might find it necessary to catch all exceptions at some 'top' level in order to sanitize (or suppress) them. This is also summarized in the CWE entries, [CWE 7|http://cwe.mitre.org/data/definitions/7.html] and [CWE 388|http://cwe.mitre.org/data/definitions/388.html]. If exceptions need to be caught, it is better to catch {{Throwable}} instead of {{Exception}} \[[Roubtsov 03|AA. Java References#Roubtsov 03]\]. |
...