Feb. 29, 2012
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 12,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 4th quarter of 2011 (October 1 to December 31, 2011), those gathered from domestic developers are 1 case (127 cumulative cases from the launch of JVN iPedia), 205 cases are from JVN (1,570 cumulative cases), and 1,111 cases from NVD (10,993 cumulative cases), bringing a quarterly total to 1,317 cases (12,690 cumulative cases). The number of vulnerability information registered increased by two and a half times compared to the 3rd Quarter and now surpasses 12,000 (See Table 1, Figure 1).
As for the English version of JVN iPedia, none was gathered from domestic developers (125 cumulative cases) and 35 from JVN (595 cumulative cases), making a quarterly total to 35 cases (720 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||1 cases||127 cases|
|JVN||205 cases||1,570 cases|
|NVD||1,111 cases||10,993 cases|
|Total||1,317 cases||12,690 cases|
|English Version||Domestic Product Developers||0 cases||125 cases|
|JVN||35 cases||595 cases|
|Total||35 cases||720 cases|
Under the circumstances where foreign-made software applications are widely used, IPA has begun to translate and publish all vulnerability countermeasure information released daily on NVD in a day or two starting with the 4th quarter of the year 2011.
By expanding the products that JVN iPedia covers and shortening time required for release of the information, IPA enables system administrators to obtain the information more widely and quickly.
~Lots of vulnerabilities in widely-used PC software applications reported. Check and update promptly~
Cyberattacks in recent years that aim to steal confidential information and personal information(*4) are persistent, exploit software vulnerabilities, combine multiple existing attack techniques and target specific organizations and persons, making it difficult to deal with.
Especially, vulnerabilities in standard software applications widely used on PC are exploited. Figure 2 shows the annual transitions in the number of vulnerabilities in 8 standard software products widely used on PC. The number increases year after year, and 450 vulnerabilities were registered in 2011, almost the same as in 2010. Just 8 major software products account for 16 percent of the total number of vulnerabilities registered.
JVN iPedia rates each vulnerability according to the CVSS(*5) and publishes its severity level(*6). Figure 3 shows the severity of vulnerability in 8 standard software products widely used on PC. There are 602 vulnerability information related to Mozilla Firefox and 360 related to Microsoft Internet Explorer and 599 related to 3 Adobe products (Reader, Acrobat, Flash Player). When focusing on the severity, 65 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 32 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were level I ("Low", CVSS Base Score = 0.0-3.9). The most severe Level III vulnerabilities account for about two-thirds of the total.
The vulnerabilities with high severity have been reported. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
IPA offers a free tool "MyJVN Version Checker(*7)" that enables IT users to easily check if software applications installed in their PC are the latest version. Its command line interface model tool(*8) is available for system administrators to check the multiple PCs automatically since November 2011.
CWE(*9) is a hierarchically structured list of weakness types to help identifying software vulnerabilities.
CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 4 illustrates the number of vulnerability countermeasure information registered during the 4th quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 159 cases, CWE-79 (Cross-Site Scripting) with 131 cases, CWE-20 (Improper Input Validation) with 118 cases, CWE-399 (Resource Management Errors) with 118 cases, CWE-89 (SQL Injection) with 107 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course"(*10), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*11)" is also effective to learn about vulnerability.
Figure 5 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or through other means, like the release on the security portal sites. Since 2008, the publication of the vulnerabilities that were labeled level III ("High", CVSS Base Score = 7.0-10.0) has been on the rise and over 50 percent since 2010.
As of December 31, 2011, 47 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 6 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Because all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia, the registration of vulnerability information about software applications has been increasing. It was 1,634 in 2010 and increased by about 1.4 times to 2,215 in 2011.
Since about 2008, the vulnerabilities in the industrial control systems (SCADA: Supervisory Control And Data Acquisition) used in critical infrastructures have been also reported. 8 in 2008, 10 in 2009, 16 in 2010 and 68 in 2011 - the total of 102 SCADA vulnerabilities are stored in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 7 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Looking at the OSS annual transitions in recent year, the ratio of OSS had been on the decrease since 2008, but in 2011, 884 OSS applications were registered, increasing the ratio from 27 percent in the previous year to 33. percent It would appear that one of the reasons behind this increase is also that all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia. In total, 33 percent of the vulnerabilities registered are of OSS and 67 percent are of non-OSS.
Figure 8 and 9 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 8 representing OSS vendors and Figure 9 representing non-OSS vendors.
As shown in Figure 8, the registered OSS vendors consist of 74 domestic vendors, 29 foreign vendors with Japan office, and 349 foreign vendors without office in Japan; a cumulative total of 452 OSS vendors. Similarly, as Figure 9 represents, the total of 420 registered non-OSS vendors consist of 130 domestic vendors, 95 foreign vendors with office in Japan, and 195 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 4th quarter of 2011 (October - December). Among 20, 12 are the vulnerabilities released on JVN.
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2011-000089||Touhou Hisouten vulnerable to denial-of-service||2,073||5.0||2011/10/28|
|2||JVNDB-2011-002172||Apache HTTPD Server denial of service vulnerability||1,683||7.8||2011/9/1|
|3||JVNDB-2011-002305||SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes||1,306||4.3||2011/10/4|
|4||JVNDB-2011-000088||Safari for iOS vulnerable to cross-site scripting||1,259||2.6||2011/10/17|
|5||JVNDB-2011-000085||DAEMON Tools vulnerable to denial-of-service||1,228||4.9||2011/10/13|
|6||JVNDB-2011-002351||Apache HTTP Server mod_proxy vulnerability allows remote attackers to send requests to intranet servers||1,173||5.0||2011/10/12|
|7||JVNDB-2011-000091||FFFTP may insecurely load executable files||1,157||5.1||2011/10/28|
|8||JVNDB-2011-002786||Apache HTTP Server Denial of Service Vulnerability||1,006||4.0||2011/11/11|
|9||JVNDB-2011-002979||Android cross-application scripting||979||4.3||2011/11/21|
|10||JVNDB-2011-000087||EC-CUBE vulnerable to SQL injection||954||5.0||2011/10/14|
|11||JVNDB-2011-000099||ChaSen vulnerable to buffer overflow||952||6.8||2011/11/8|
|12||JVNDB-2011-000079||Cybozu Office vulnerable in restricting access||902||4.0||2011/10/7|
|13||JVNDB-2011-000076||Nikki vulnerable to OS command injection||876||7.5||2011/11/21|
|14||JVNDB-2011-000092||Multiple D-Link products vulnerable to buffer overflow||841||10.0||2011/10/28|
|15||JVNDB-2011-000100||PowerChute Business Edition vulnerable to cross-site scripting||839||4.3||2011/12/2|
|16||JVNDB-2011-000105||Safari for iOS vulnerable to denial-of-service||803||4.3||2011/12/15|
|17||JVNDB-2011-000082||WEB FORUM vulnerable to cross-site scripting||792||4.3||2011/10/11|
|18||JVNDB-2011-000068||Multiple vulnerabilities in Phorum||781||2.6||2011/9/2|
|19||JVNDB-2011-003069||ISC BIND 9 resolver denial of service vulnerability||672||5.0||2011/11/28|
|20||JVNDB-2011-000086||DBD::mysqlPP vulnerable to SQL injection||672||6.8||2011/10/14|
|1||JVNDB-2011-003295||JP1/Cm2/Network Node Manager i Denial of Service (DoS) Vulnerability||197||7.8||2011/12/9|
|2||JVNDB-2008-001647||Jasmine WebLink Template Multiple Vulnerabilities||161||7.5||2008/9/10|
|3||JVNDB-2008-001150||JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems||129||3.6||2008/3/14|
|4||JVNDB-2010-002807||Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability||117||4.3||2011/5/26|
|5||JVNDB-2011-001927||Arbitrary Code Execution Vulnerability in HiRDB Control Manager||117||10.0||2011/7/26|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2009 and before||Published in 2010||Published in 2011|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) See a press release "Security Alert for Cyberattacks by Targeted Attack Email"
(*5) Common Vulnerability Scoring System (CVSS)
Based on a numeric Base Score, it is evaluated in three levels and the higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of a part of information or to denial of service.
- Level I: Where conditions required to execute an attack are complicated or the threat falls under the Level II, but very unlikely to replicate
(*6) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
(*7) MyJVN Version Checker
(*9) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*11) A hands-on vulnerability learning and experiencing tool "AppGoat"
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)