Dec. 3, 2012
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 30,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 3rd quarter of 2012 (July 1 to September 30, 2012), those gathered from domestic developers are 2 cases (135 cumulative cases from the launch of JVN iPedia), 171 cases from JVN (2,179 cumulative cases), and 7,736 cases from NVD (28,529 cumulative cases), bringing a quarterly total to 7,909 (30,843 cumulative cases). The total number of vulnerability information registered now surpasses 30,000 (See Table 1, Figure 1).
As for the English version of JVN iPedia, 2 were gathered from domestic developers (135 cumulative cases) and 28 from JVN (682 cumulative cases), making a quarterly total to 30 cases (817 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||135 cases|
|JVN||171 cases||2,179 cases|
|NVD||7,736 cases||28,529 cases|
|Total||7,909 cases||30,843 cases|
|English Version||Domestic Product Developers||2 cases||135 cases|
|JVN||28 cases||682 cases|
|Total||30 cases||817 cases|
To make JVN iPedia more useful for system administrators, IPA is expanding its coverage of vulnerability information registered to JVN iPedia. Since we added 6,000 vulnerabilities that were released on NVD in the past but not yet published on JVN iPedia just like the previous quarter, the number of vulnerabilities registered in this quarter is about the same as the previous quarter.
By expanding the products that JVN iPedia covers, system administrators are able to obtain a broader range of information.
Besides the publication of the latest vulnerability information, IPA will continue to translate and publish the other information released on NVD.
~Tons of vulnerabilities in Android applications running on smartphones reported. Update now!~
The number of smartphone users is drastically increasing in recent years and the development of smartphone applications by both businesses and individuals is heating up. In the last few years, as Android gains a bigger share in the smartphone market, the number of reported vulnerabilities in Android applications increases as well. Figure 2 shows the annual transitions in vulnerabilities in smartphone software (operating systems and applications) registered to JVN iPedia by the type of platforms. As shown in the figure, a rise in the number of vulnerabilities in Android software is prominent. Figure 3 extracted just Android software from Figure 2. Last year, there were 13 reports but there were already 90 reports so far. It is assumed that it is because the number of Android applications increased and the both domestic and overseas security researchers became more serious about Android as it got popular.
Figure 4 shows the proportion of the severity of vulnerabilities in Android software sorted by the Google Play(*4) software categories. 61 vulnerabilities in communication applications, such as browsers and email applications, and social networking applications to communicate with others have been registered, and they account for 59 percent of the total (103 vulnerabilities). These applications essentially handle personal information. The users need to understand there is a risk that data, such as message and email contents, communication history and address book, can be stolen if keep using the old-version applications that contain vulnerabilities.
If using the old-version applications that have vulnerabilities, update them immediately. IPA also hopes that smartphone application developers are proactive in fixing vulnerability in their products.
~More than 60 percent of vulnerabilities in industrial control system have been labeled as highly severe~
In recent years, vulnerabilities in industrial control systems (ICS) like controllers and monitoring systems used in facilities, such as production plants, have been published more and more.
Figure 5 shows the number and severity of the ICS vulnerabilities registered to JVN iPedia. The number of vulnerabilities registered in 2011 was 87. Compared to 21 in 2010, it is a fourfold increase, and this increasing tendency continues in 2012.
Figure 6 and 7 show the severity of vulnerabilities among the ICS software and across all software, respectively. As for the ICS software, 62 percent of the vulnerabilities were labeled as level III ("High", CVSS Base Score = 7.0-10.0), 36 percent were level II ("Medium", CVSS Base Score = 4.0-6.9) and 2 percent were level I ("Low", CVSS Base Score = 0.0-3.9). This is high compared with across all software applications.
The ICS users should check on vulnerability information regularly, and if there is vulnerability in a product they use, ask its vendor or retailer if there is a fix, like an updated version, and take necessary action promptly. If they cannot take action immediately for some reasons, evaluate the environment and risks of the networks in which the vulnerable industrial control system operates, and consider whether to apply the fix or take alternative measures(*5).
Figure 8 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-79 (Cross-Site Scripting) with 978 cases, CWE-89 (SQL Injection) with 890 cases, CWE-119 (Buffer Errors) with 684 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 487 cases, CWE-22 (Path Traversal) with 340 cases and CWE-20 (Improper Input Validation) with 311 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as "Secure Programming Course"(*6), to make sure to implement necessary security measures from the planning and design phase of software development. IPA also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*7)" to promote secure programming.
Figure 9 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.
As of September 30, 2012, 45 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 48 percent were labeled level II ("Medium", CVSS Base Score = 4.0-6.9) and 7 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 10 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Because all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia since the 4th quarter of 2011, the number of vulnerability information registered has increased. It was 4,270 in 2010 and 3,755 in 2011: around 4,000 vulnerabilities are registered each year and an increasing trend remains in 2012 as well.
Since about 2008, the vulnerabilities in industrial control systems used in critical infrastructures have been registered as well. It was 8 in 2008, 10 in 2009, 21 in 2010, 87 in 2011 and 138 in 2012 so far - the total of 264 industrial control systems vulnerabilities are stored in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 11 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Looking at the OSS annual transitions in recent years, the ratio of OSS had been on the decrease since 2008, but in 2011, 1,567 OSS vulnerabilities were registered, increasing the ratio from 35 percent in 2010 to 37 percent in 2011. One of the reasons behind this increase is that all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia. In total, 39 percent of the vulnerabilities registered are of OSS and 61 percent are of non-OSS.
Figure 12 and 13 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 12 representing OSS vendors and Figure 13 representing non-OSS vendors.
As shown in Figure 12, the registered OSS vendors consist of 83 domestic vendors, 57 foreign vendors with Japan office, and 3,080 foreign vendors without office in Japan; a cumulative total of 3,220 OSS vendors. Similarly, as Figure 13 represents, the total of 3,151 registered non-OSS vendors consist of 163 domestic vendors, 193 foreign vendors with office in Japan, and 2,795 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 3rd quarter of 2012 (July - September).
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2012-003918||Oracle Java 7 Vulnerability||2,785||6.8||2012/8/29|
|2||JVNDB-2012-000077||Multiple GREE Android applications vulnerable in the WebView class||2,022||2.6||2012/8/16|
|3||JVNDB-2012-003068||Vulnerability in DataNode in Apache Hadoop Where Remote Client Could Read Arbitrary Block||1,621||7.5||2012/7/17|
|4||JVNDB-2012-000072||Yahoo! Toolbar (for Chrome, Safari) vulnerable to toolbar alteration||1,476||4.3||2012/7/30|
|5||JVNDB-2012-001258||Vulnerability in protocol.c in Apache HTTP Server allows attacker to obtain the values of HTTPOnly cookies||1,299||4.3||2012/2/1|
|6||JVNDB-2012-003877||Integer Overflow Vulnerabilities in stdlib in GNU C Library||1,118||4.6||2012/8/28|
|7||JVNDB-2012-000074||LINE for Android vulnerable in handling of implicit intents||1,046||2.6||2012/8/7|
|8||JVNDB-2011-002305||SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes||1,007||4.3||2011/10/4|
|9||JVNDB-2011-002172||Apache HTTPD Server DoS Vulnerability||971||7.8||2011/9/1|
|10||JVNDB-2012-000064||Yome Collection for Android issue in management of IMEI||964||2.6||2012/7/3|
|11||JVNDB-2012-000070||Yahoo! Browser vulnerable in the WebView class||874||2.6||2012/7/13|
|12||JVNDB-2012-003240||Vulnerability in the stream Implementation in PHP||865||10.0||2012/7/23|
|13||JVNDB-2012-000066||Ruby hash table implementation vulnerable to denial-of-service||775||5.0||2012/7/6|
|14||JVNDB-2012-003247||Vulnerability in WordPress Where Remote Attacker Could Obtain Sensitive Information||747||5.0||2012/7/24|
|15||JVNDB-2012-000073||GoodReader vulnerable to cross-site scripting||731||5.0||2012/8/2|
|16||JVNDB-2012-000078||mixi for Android information management vulnerability||674||2.6||2012/8/17|
|17||JVNDB-2012-004397||Internet Explorer Arbitrary Code Execution Vulnerability||662||9.3||2012/9/18|
|18||JVNDB-2012-003032||Vulnerability in Multiple F5 Products Where Remote Attacker Could Perform SSH Logins||630||7.8||2012/7/11|
|19||JVNDB-2012-003305||ISC BIND DoS Vulnerability (Assertion Failure and Daemon Exit)||627||7.8||2012/7/26|
|20||JVNDB-2012-003026||Integer Overflow Vulnerability in the phar Extension in PHP||617||7.5||2012/7/10|
|1||JVNDB-2012-003244||Privilege escalation vulnerability in Hitachi JP1/NETM/DM||562||7.2||2012/7/23|
|2||JVNDB-2012-003525||Cross-site Scripting Vulnerability in JP1/Integrated Management - Service Support||404||3.5||2012/8/10|
|3||JVNDB-2012-002377||Arbitrary Code Execution Vulnerability in Hitachi COBOL GUI Option on Windows||178||10.0||2012/5/14|
|4||JVNDB-2008-001150||JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems||175||3.6||2008/3/14|
|5||JVNDB-2012-001932||Vulnerability in Fujitsu Interstage List Works Where Permissions Cannot Be Denied||165||3.6||2012/3/29|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2010 and before||Published in 2011||Published in 2012|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Google Play. A distribution and shop service for Android applications by Google. Applications are categorized into the types shown in the following URL:
(*5) Security Alert for Vulnerability in Control Systems
(*7) Hands-on vulnerability learning and experiencing tool "AppGoat"
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)