Jul. 20, 2012
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 22,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 2nd quarter of 2012 (April 1 to June 30, 2012), those gathered from domestic developers are 1 cases (133 cumulative cases from the launch of JVN iPedia), 273 cases are from JVN (2,008 cumulative cases), and 6,766 cases from NVD (20,793 cumulative cases), bringing a quarterly total to 7,040 (22,934 cumulative cases). The total number of vulnerability information registered now surpasses 22,000 (See Table 1, Figure 1).
As for the English version of JVN iPedia, 2 were gathered from domestic developers (133 cumulative cases) and 33 from JVN (654 cumulative cases), making a quarterly total to 35 cases (787 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||1 cases||133 cases|
|JVN||273 cases||2,008 cases|
|NVD||6,766 cases||20,793 cases|
|Total||7,040 cases||22,934 cases|
|English Version||Domestic Product Developers||2 cases||133 cases|
|JVN||33 cases||654 cases|
|Total||35 cases||787 cases|
To make JVN iPedia more useful for system administrators, IPA is expanding its coverage of vulnerability information registered to JVN iPedia. Like the previous quarter, the number of vulnerabilities covered by JVN iPedia increased considerably by adding 6,000 vulnerability data that were released on NVD in the past but not yet published on JVN iPedia.
By expanding the products that JVN iPedia covers, system administrators are able to obtain a broader range of information.
Besides the publication of the latest vulnerability information, IPA is going to translate and publish the information released on NVD in the past. Including them, the total number of vulnerability countermeasure information stored in JVN iPedia will reach 35,000 by the end of 2012.
~Improved the completeness and timeliness of vulnerability information~
Up to the last year, JVN iPedia collected and stored the vulnerability countermeasure information about the products widely used in Japan. These days, however, because the range of the products used is getting more and more diverse, IPA has begun to add all vulnerability information released daily on NVD to JVNB iPedia since the last quarter to improve the completeness of vulnerability information, making it possible for IT users to check out various products. In addition, those NVD information are to be translated and published on JVN iPedia in a day or two as a standard operating procedure to improve their timeliness.
Figure 2 shows the monthly transitions in the number of vulnerability information published on NVD and JVN iPedia. JVN iPedia caught up with NVD in November 2011, and after that, there hasn't been much difference between two.
Table 2 shows the publishing status of JVN iPedia for the first half of the year 2012. For 92 out of 123 business days (more than two thirds), IPA checked and confirmed the release of vulnerability countermeasure information on NVD and published it within the same day.
|Publishing Status||Days Taken to Publish (%)|
|Within the same day after release on NVD||92 (74.8%)|
|Within 2 days after release on NVD||29 (23.6%)|
|Within 3 days||2 (1.6%)|
|after release on NVD|
JVN iPedia enables IT users to check out vulnerability information about a wide variety of products in Japanese through browsers and MyJVN API. By using a tool like an RSS reader, IT users can also receive the latest vulnerability countermeasure information in Japanese. This makes it possible to fix vulnerabilities in the products in use or give heads-up.
~Lots of vulnerabilities in JRE reported~
Malware infection that exploits vulnerabilities in JRE(*4) published in 2012/1Q is spreading. The malware targets not only Windows but Mac computers as well, and it's said more than 600,000 Mac computers have been infected worldwide. Malware that can screw both Windows and Mac operating systems is spreading like wildfire and we all must be diligent in keeping an eye on JRE vulnerabilities.
Figure 3 shows the proportion of the number and severity(*5) of JRE and Java SE(*6) vulnerabilities registered to JVN iPedia. Since 2008, more than 50 vulnerabilities have been registered every year. As for the severity, 58 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 38 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 4 percent were level I ("Low", CVSS Base Score = 0.0-3.9). As shown in the figures, the vulnerabilities with high severity have been reported. Keeping an increasing trend, 27 vulnerabilities have been reported so far in 2012 and 59 percent of them are leveled level III. IT users need to stay watchful for new vulnerabilities that will be released.
Since 2010, security updates have been released irregularly about 6 times a year. IT users need to obtain the update information promptly as released and take necessary action.
In addition to the use of the automatic update service of the software applications(*7), IPA recommends the use of MyJVN Version Checker(*8), a tool to see if the software applications installed in a PC are up-to-date and provide a detailed information necessary for update.
~Lots of vulnerabilities in Android application running on smartphones. Update now~
The number of smartphone users is drastically increasing in recent years and the development of smartphone applications by both businesses and individuals is heating up. In the last few years, as Android gains a bigger share in the smartphone market, the number of reported vulnerabilities in Android applications increases as well. Figure 4 shows the annual transitions in vulnerabilities in software (operating systems and applications) that runs on smartphones registered to JVN iPedia by the type of platforms. It's not difficult to see that the number of vulnerabilities in Android software is noticeable. Figure 5 extracted Android software from Figure 4. Last year, there were 13 reports but there were already 67 reports just in the first half of this year. It is assumed that it's because that the number of Android applications increased and the both domestic and overseas security researchers became more serious about Android as it got popular.
Figure 6 shows the proportion of severity of vulnerabilities in Android software sorted by the Google Play(*9) software categories. 46 vulnerabilities in communication applications, such as browsers and email applications, and social networking applications to communicate with others have been registered and they account for 58 percent of the total (80 vulnerabilities). These applications essentially handle personal information. The users need to understand there is a risk that data, such as message and email contents, communication history and address book, can be stolen if keep using the old-version applications with which vulnerabilities have been found.
If using the old-version applications that contain vulnerabilities, update them immediately. IPA also hopes that smartphone application developers are proactive in implementing security.
Figure 7 illustrates the number of vulnerability countermeasure information registered during the 2nd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-89 (SQL Injection) with 951 cases, CWE-79 (Cross-Site Scripting) with 741 cases, CWE-119 (Buffer Errors) with 563 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 400 cases, CWE-22 (Path Traversal) with 345 cases and CWE-20 (Improper Input Validation) with 344 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course"(*10), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*11)" is also effective to learn about vulnerability.
Figure 8 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.
As of June 30, 2012, 46 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 47 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 7 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 9 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Because all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia since the 4th quarter of 2011, the number of vulnerability information registered has increased. It was 2,939 in 2010 and increased by about 1.2 times to 3,636 in 2011 and keeps an increasing trend in 2012 as well.
Since about 2008, the vulnerabilities in the industrial control systems used in critical infrastructures have been also reported. 8 in 2008, 10 in 2009, 21 in 2010, 72 in 2011 and 99 in 2012 so far - the total of 224 industrial control systems vulnerabilities are stored in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 10 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Looking at the OSS annual transitions in recent year, the ratio of OSS had been on the decrease since 2008, but in 2011, 1,470 OSS applications were registered, increasing the ratio from 32 percent in 2010 to 35 percent in 2011. One of the reasons behind this increase is that all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia. In total, 36 percent of the vulnerabilities registered are of OSS and 64 percent are of non-OSS.
Figure 11 and 12 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 11 representing OSS vendors and Figure 12 representing non-OSS vendors.
As shown in Figure 11, the registered OSS vendors consist of 79 domestic vendors, 49 foreign vendors with Japan office, and 1,938 foreign vendors without office in Japan; a cumulative total of 2,066 OSS vendors. Similarly, as Figure 12 represents, the total of 2,074 registered non-OSS vendors consist of 150 domestic vendors, 162 foreign vendors with office in Japan, and 1,762 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 3 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 2nd quarter of 2012 (April – June).
Table 4 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2012-000037||sp mode mail issue in the verification of SSL certificates||3,483||4.0||2012/4/26|
|2||JVNDB-2012-000054||Puella Magi Madoka Magica iP for Android vulnerable to information disclosure||1,886||2.6||2012/6/1|
|3||JVNDB-2012-001258||Vulnerability in protocol.c in Apache HTTP Server allows attacker to obtain the values of HTTPOnly cookies||1,340||4.3||2012/2/1|
|4||JVNDB-2012-000030||SENCHA SNS vulnerable to session fixation||1,303||5.8||2012/4/5|
|5||JVNDB-2012-000032||Dokodemo Rikunabi 2013 vulnerable to cross-site scripting||1,288||5.8||2012/4/13|
|6||JVNDB-2011-002305||SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes||1,287||4.3||2011/10/4|
|7||JVNDB-2012-001979||Privilege escalation on Guest Operating Systems in VMware ESXi and ESX||1,172||8.3||2012/4/4|
|8||JVNDB-2012-000051||Logitec LAN-W300N/R series fails to restrict access permissions||1,165||7.5||2012/5/25|
|9||JVNDB-2011-005032||Arbitrary Code Execution Vulnerability in RPC Code Generator in Samba||1,158||10.0||2012/4/12|
|10||JVNDB-2012-000028||TOSHIBA TEC e-Studio series vulnerable to authentication bypass||1,092||6.4||2012/4/5|
|11||JVNDB-2012-000035||Multiple JustSystems products vulnerable to buffer overflow||1,086||6.8||2012/4/24|
|12||JVNDB-2012-000029||SENCHA SNS vulnerable to cross-site request forgery||1,069||2.6||2012/4/5|
|13||JVNDB-2012-000044||iLunascape for Android vulnerable in the WebView class||1,053||2.6||2012/5/21|
|14||JVNDB-2012-002099||Buffer Overflow Vulnerability in the asn1_d2i_read_bio function in Open SSL||1,009||7.5||2012/4/23|
|15||JVNDB-2012-002126||Integer Signedness Errors in crypto/buffer/buffer.c in OpenSSL||1,004||7.5||2012/4/26|
|16||JVNDB-2012-002235||Vulnerability in PHP-CGI query string handling||971||7.5||2012/5/8|
|17||JVNDB-2012-002234||Oracle Database TNS Listener Vulnerability||880||7.5||2012/5/8|
|18||JVNDB-2012-000025||Redmine vulnerable to cross-site scripting||864||4.0||2012/3/13|
|19||JVNDB-2011-002172||Apache HTTPD Server DoS Vulnerability||838||7.8||2011/9/1|
|20||JVNDB-2012-000049||Opera fails to verify SSL server certificates||822||4.3||2012/5/25|
|1||JVNDB-2012-001793||JP1/Cm2/Network Node Manager i Denial of Service (DoS) Vulnerability||530||7.8||2012/3/16|
|2||JVNDB-2012-001932||Vulnerability in Fujitsu Interstage List Works Where Permissions Cannot Be Denied||520||3.6||2012/3/29|
|3||JVNDB-2012-002377||Arbitrary Code Execution Vulnerability in Hitachi COBOL GUI Option on Windows||473||10.0||2012/5/14|
|4||JVNDB-2010-002807||Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability||191||4.3||2011/5/26|
|5||JVNDB-2008-001150||JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems||172||3.6||2008/3/14|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2010 and before||Published in 2011||Published in 2012|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*5) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
Common Vulnerability Scoring System (CVSS)
(*7) Use the automatic update service of software applications!
(*8) MyJVN Version Checker
(*9) Google Play. A distribution and shop service for Android applications by Google. Applications are categorized into the types shown in the following URL:
(*11) A hands-on vulnerability learning and experiencing tool "AppGoat"
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)