May. 15, 2012
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 15,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 1st quarter of 2012 (January 1 to March 31, 2012), those gathered from domestic developers are 5 cases (132 cumulative cases from the launch of JVN iPedia), 165 cases are from JVN (1,735 cumulative cases), and 3,034 cases from NVD (14,027 cumulative cases), bringing a quarterly total to 3,204 cases (15,894 cumulative cases). The total number of vulnerability information registered now surpasses 15,000 (See Table 1, Figure 1).
As for the English version of JVN iPedia, 6 were gathered from domestic developers (131 cumulative cases) and 26 from JVN (621 cumulative cases), making a quarterly total to 32 cases (752 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||5 cases||132 cases|
|JVN||165 cases||1,735 cases|
|NVD||3,034 cases||14,027 cases|
|Total||3,204 cases||15,894 cases|
|English Version||Domestic Product Developers||6 cases||131 cases|
|JVN||26 cases||621 cases|
|Total||32 cases||752 cases|
IPA is expanding its coverage of vulnerability information registered to JVN iPedia for system administrator to utilize, and has begun to translate and publish all vulnerability countermeasure information released daily on NVD in a day or two since the 4th quarter of the year 2011. The reason why the number of vulnerabilities registered this quarter is much larger than that in the previous quarter is that 2,000 vulnerabilities that were released on the NVD but not published on JVN iPedia were now added to JVN iPedia.
By expanding the products that JVN iPedia covers, system administrators are able to obtain a broader range of information.
Besides the publication of the latest vulnerability information, IPA is going to translate and publish the NVD information released in the past. Including them, the total number of vulnerability countermeasure information stored in JVN iPedia will reach 35,000 by the end of 2012.
~Lots of vulnerabilities in smartphone OS and applications reported. Check and update promptly~
The use of smartphones has been spreading in recent years and the number of smartphone-related vulnerabilities is also on the rise as proportional to that of the users. Figure 2 shows the annual transitions in vulnerabilities in software (OS and applications) that runs on smartphones registered to JVN iPedia sorted by platforms. The number is increasing year after year and in the 1st quarter only, 127 cases were reported, increasing more than threefold compared to 2011.
Figure 3 shows the annual transitions in vulnerabilities in software that runs on smartphones registered to JVN iPedia sorted by the types of software. The number of vulnerability information about applications has been increasing since the last half of 2011, and 60 vulnerabilities were registered in the 1st quarter of 2012. All of those 60 vulnerabilities were about the applications that run on Android OS.
JVN iPedia rates each vulnerability according to the CVSS(*4) and publishes its severity level(*5). Figure 4 shows the severity of vulnerability in software that runs on smartphones based on their respective publication date. 326 vulnerabilities that are labeled level III ("High", CVSS Base Score = 7.0-10.0) have been registered, which account for 61 percent of the total.
The vulnerabilities with high severity have been reported. Smartphone users should take security measures just like they do for PCs. For the safe use of smartphone, see the documents offered by IPA as reference(*6).
~Vulnerability information about in control systems is increasing year after year~
In recent years, vulnerability information about software for industrial control systems (ICS) used in manufacturing facilities and other facilities has been increasing.
Figure 5 shows the number and severity of vulnerabilities in industrial control system software registered to JVN iPedia. 72 cases were reported in 2011, which was about a 3.5 times increase from the previous year, and it is expected to be on the rise in 2012 as well.
Figure 6 and 7 shows the severity level of vulnerabilities in industrial control system software and all vulnerabilities registered to JVN iPedia. As for ICS software, 67 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 31 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 2 percent were level I ("Low", CVSS Base Score = 0.0-3.9). As seen on the figures, compared to all vulnerabilities, the vulnerabilities with high severity have been reported.
Figure 8 shows the number of vulnerabilities about industrial control system software based on CWE(*7) vulnerability types. CWE-119 (Buffer Errors), the type of vulnerabilities that could lead to serious security threat like arbitrary code execution, accounts for 58 percent of the total.
Control system users should check on vulnerability information regularly. In the case there are vulnerabilities in the products in use, ask the vendor or seller for the countermeasures, such as product update, and if there is one, take action immediately. If it is impossible to implement security measures immediately, review the use environment, such as network design, and risks of the industrial control systems and improve security or take other measures. (*8)
Figure 9 illustrates the number of vulnerability countermeasure information registered during the 1st quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-79 (Cross-Site Scripting) with 499 cases, CWE-119 (Buffer Errors) with 324 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 289 cases, CWE-89 (SQL Injection) with 270 cases, CWE-200 (Information Leak) with 261 cases and CWE-20 (Improper Input Validation) with 224 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course"(*9), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*10)" is also effective to learn about vulnerability.
Figure 10 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.
As of March 31, 2012, 44 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 48 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 11 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Because all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia, the registration of vulnerability information about software applications has been increasing. It was 2,322 in 2010 and increased by about 1.6 times to 3,627 in 2011 and keep increasing in 2012 as well.
Since about 2008, the vulnerabilities in the industrial control systems used in critical infrastructures have been also reported. 8 in 2008, 10 in 2009, 21 in 2010, 72 in 2011 and 57 in 2012 so far - the total of 168 industrial control systems vulnerabilities are stored in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 12 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Looking at the OSS annual transitions in recent year, the ratio of OSS had been on the decrease since 2008, but in 2011, 1,0460 OSS applications were registered, increasing the ratio from 30 percent in the previous year to 35 percent. It would appear that one of the reasons behind this increase is also that all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia. In total, 34 percent of the vulnerabilities registered are of OSS and 66 percent are of non-OSS.
Figure 13 and 14 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 13 representing OSS vendors and Figure 14 representing non-OSS vendors.
As shown in Figure 13, the registered OSS vendors consist of 75 domestic vendors, 36 foreign vendors with Japan office, and 829 foreign vendors without office in Japan; a cumulative total of 940 OSS vendors. Similarly, as Figure 14 represents, the total of 770 registered non-OSS vendors consist of 136 domestic vendors, 124 foreign vendors with office in Japan, and 510 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 1st quarter of 2012 (January - March).
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2012-001195||Horde IMP and Horde Groupware Webmail Edition Cross-Site Scripting Vulnerability||10,215||4.3||2012/1/27|
|2||JVNDB-2012-001197||Horde Groupware Webmail Edition Cross-Site Scripting Vulnerability||10,123||4.3||2012/1/27|
|3||JVNDB-2012-001003||Apache Tomcat: Hash Table Collisions CPU Usage DoS Vulnerability||2,106||5.0||2012/1/6|
|4||JVNDB-2012-001810||Unspecified Vulnerability in the NetFront Life Browser for Android||2,020||10.0||2012/3/19|
|5||JVNDB-2011-002305||SSL 3.0 and TLS 1.0 Allow Chosen Plaintext Attack in CBC Modes||1,503||4.3||2011/10/4|
|6||JVNDB-2012-000014||Multiple COOKPAD Applications for Android Vulnerable in WebView Class||1,500||2.6||2012/2/22|
|7||JVNDB-2011-002172||Apache HTTPD Server DoS Vulnerability||1,281||7.8||2011/9/1|
|8||JVNDB-2011-003565||PHP: Hash Table Collisions CPU Usage DoS Vulnerability||1,272||5.0||2012/1/4|
|9||JVNDB-2012-000024||twicca Fails to Restrict Access Permissions||1,188||2.6||2012/3/13|
|10||JVNDB-2011-000110||WordPress Japanese Vulnerable to Cross-Site Scripting||1,188||4.3||2011/12/26|
|11||JVNDB-2011-003563||Ruby: Hash Table Collisions CPU Usage DoS Vulnerability||1,141||7.8||2012/1/4|
|12||JVNDB-2012-001258||protocol.c in Apache HTTP Server Allows to Obtain the Values of HTTPOnly Cookies||1,112||4.3||2012/2/1|
|13||JVNDB-2011-000109||WordPress Vulnerable to Arbitrary PHP Code Execution||1,049||6.5||2011/12/26|
|14||JVNDB-2011-003560||Microsoft .NET Framework: Hash Table Collisions CPU Usage DoS Vulnerability||1,022||7.8||2012/1/4|
|15||JVNDB-2012-000025||Redmine Vulnerable to Cross-Site Scripting||916||4.0||2012/3/13|
|16||JVNDB-2012-000012||Apache Struts 2 Vulnerable to an Arbitrary JavaMethod Execution||903||6.8||2012/2/10|
|17||JVNDB-2012-001323||PHP php_register_variable_ex in php_variables.c Arbitrary Code Execution Vulnerability||886||7.5||2012/2/8|
|18||JVNDB-2012-001355||Multiple DNS Design Error||858||5.0||2012/2/10|
|19||JVNDB-2012-000007||Oracle WebLogic Server Vulnerable to Cross-Site Scripting||851||2.6||2012/1/20|
|20||JVNDB-2012-001018||OpenSSL Double-Free Issue||805||9.3||2012/1/10|
|1||JVNDB-2011-003295||JP1/Cm2/Network Node Manager i Denial of Service (DoS) Vulnerability||197||7.8||2011/12/9|
|2||JVNDB-2008-001647||Jasmine WebLink Template Multiple Vulnerabilities||161||7.5||2008/9/10|
|3||JVNDB-2008-001150||JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems||129||3.6||2008/3/14|
|4||JVNDB-2010-002807||Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability||117||4.3||2011/5/26|
|5||JVNDB-2011-001927||Arbitrary Code Execution Vulnerability in HiRDB Control Manager||117||10.0||2011/7/26|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2010 and before||Published in 2011||Published in 2012|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Common Vulnerability Scoring System (CVSS)
(*5) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
(*6) Use Smartphone Safely! ~ Six Principles to Use Smartphone Safely ~
Smartphone Security <Crisis Prevention> Security Guide
(*7) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*8) Security Alert for Vulnerability in Control Systems
(*10) A hands-on vulnerability learning and experiencing tool "AppGoat"
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)