Jan. 21, 2013
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 38,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 4th quarter of 2012 (October 1 to December 31, 2012), those gathered from domestic developers are 4 cases (139 cumulative cases from the launch of JVN iPedia), 98 cases from JVN (2,412 cumulative cases), and 7,154 cases from NVD (35,548 cumulative cases), bringing a quarterly total to 7,256 (38,099 cumulative cases). The total number of vulnerability information registered is now over 38,000 (See Table 1, Figure 1).
As for the English version of JVN iPedia, 4 were gathered from domestic developers (139 cumulative cases) and 25 from JVN (707 cumulative cases), making a quarterly total to 29 cases (846 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||4 cases||139 cases|
|JVN||98 cases||2,412 cases|
|NVD||7,154 cases||35,548 cases|
|Total||7,256 cases||38,099 cases|
|English Version||Domestic Product Developers||4 cases||139 cases|
|JVN||25 cases||707 cases|
|Total||29 cases||846 cases|
To make JVN iPedia more useful for system administrators, IPA is expanding its coverage of vulnerability information registered to JVN iPedia. Just like the previous quarter, since we added 6,000 vulnerabilities that were released on NVD in the past but not yet published on JVN iPedia, the number of vulnerabilities registered in this quarter increased substantially. All vulnerability information released on NVD in and after 2007 has been translated into Japanese and is available on JVN iPedia.
By expanding the products that JVN iPedia covers, system administrators are able to obtain a broader range of information.
~Lots of vulnerabilities in widely-used PC software applications reported. Check and update promptly~
Cyberattacks in recent years that aim to steal confidential information and personal information(*4) are persistent, exploit software vulnerabilities, combine multiple existing attack techniques and target specific organizations and persons, making it difficult to deal with.
Especially, vulnerabilities in standard software applications widely used on PC are exploited. Figure 2 shows the annual transitions in the number of vulnerabilities in 8 standard software products widely used on PC. The number increases year after year, and 528 vulnerabilities were registered in 2012, increased 65 compared to that in 2011.
JVN iPedia rates each vulnerability according to the CVSS(*5) and publishes its severity level(*6). Figure 3 shows the severity of vulnerability in 8 standard software products widely used on PC. There are 865 vulnerability information related to Mozilla Firefox and 590 related to Microsoft Internet Explorer and 739 related to 3 Adobe products (Reader, Acrobat, Flash Player). When focusing on the severity, 63 percent of the vulnerabilities were labeled the level III ("High", CVSS Base Score = 7.0-10.0), 34 percent were labeled the level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were the level I ("Low", CVSS Base Score = 0.0-3.9). The most severe level III vulnerabilities account for about two-thirds of the total.
The vulnerabilities with high severity have been reported. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
IPA offers a free tool "MyJVN Version Checker(*7)" that enables IT users to easily check if software applications installed in their PC are the latest version. Since November 2011, its command line interface model tool(*8) is available for system administrators to check the multiple PCs automatically.
~Tons of vulnerabilities in Android applications running on smartphones reported. Update now!~
The number of smartphone users is drastically increasing in recent years and the development of smartphone applications by both businesses and individuals is heating up. Figure 4 shows the annual transitions in vulnerabilities in smartphone software (operating systems and applications) registered to JVN iPedia by the type of platforms. As shown in the figure, the rise in the number of vulnerabilities in Apple's iOS based-software and Google's Android-based software is prominent. As for Apple' iOS, among 259 vulnerabilities reported in 2012, more than 70 percent were about WebKit (HTML rendering engine).
In the last few years, as Android gains a bigger share in the smartphone market, the number of reported vulnerabilities in Android applications has increased as well. Figure 5 extracted data about Android software from Figure 4. Up to the end of 2011, there were only 18 reports but as of the end of 2012, 102 vulnerabilities on JVN iPedia. It is assumed that it is because the number of Android applications increased and the both domestic and overseas security researchers began to probe Android applications more actively as it got popular.
Figure 6 shows the proportion of the severity of vulnerabilities in Android applications sorted by the Google Play(*9) software categories. 52 vulnerabilities in communication applications, such as browsers and email services, and social networking applications to interact with others were reported, which accounts for 53 percent of the total (99 vulnerabilities). Since these applications generally handle personal information, there is a risk that data, such as message and email contents, communication history and address book, can be stolen if keep using the old-version applications that contain vulnerabilities.
If using the old-version applications that have vulnerabilities, update them immediately. IPA also hopes that smartphone application developers proactively implement countermeasures not to create vulnerabilities.
~Vulnerabilities in industrial control system have increased drastically since 2011~
In recent years, vulnerabilities in software used in industrial control systems (ICS) like controllers and monitoring systems used in facilities, such as production plants, have been increasing drastically.
Figure 7 shows the number and severity of the ICS vulnerabilities registered to JVN iPedia. The number of vulnerabilities registered in 2011 was 88. Compared to 21 in 2010, it is about a fourfold increase, and this increasing tendency continued in 2012.
Figure 8 and 9 show the severity of vulnerabilities among the ICS software and across all software, respectively. As for the ICS software, 63 percent of the vulnerabilities were labeled as the level III ("High", CVSS Base Score = 7.0-10.0), 34 percent were the level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were the level I ("Low", CVSS Base Score = 0.0-3.9). This is high compared with across all software applications.
Figure 10 illustrates the number of vulnerability countermeasure information registered during the 4th quarter, sorted by their vulnerability type using CWE(*10). CWE-119 (Buffer Errors) that may pose a serious threat like arbitrary code execution accounts for about 40 percent of the total.
The ICS users should check on vulnerability information regularly, and if vulnerability found in a product they use, ask its vendor or retailer if there is a fix, like an updated version, and take necessary action promptly. If they cannot take action immediately for some reasons, evaluate the environment, such as networks in which the vulnerable industrial control system operates and risks it faces, and consider whether to apply the fix or take alternative measures(*11).
Figure 11 illustrates the number of vulnerability countermeasure information registered during the 4th quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-89 (SQL Injection) with 1,034 cases, CWE-79 (Cross-Site Scripting) with 864 cases, CWE-119 (Buffer Errors) with 473 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 422 cases, CWE-22 (Path Traversal) with 383 cases and CWE-94 (Code Injection) with 361 cases.
Most of these are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides guidelines that address these vulnerabilities, such as "Secure Programming Course"(*12), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*13)" to promote secure programming.
Figure 12 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.
As of December 31, 2012, 45 percent of the vulnerabilities were labeled the level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled the level ll ("Medium", CVSS Base Score = 4.0-6.9) and 6 percent were the level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 13 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Because all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia since the 4th quarter of 2011, the number of vulnerability information registered has increased. It was 5,887 in 2007 and 3,789 in 2011: around 5,000 vulnerabilities are registered each year and an increasing trend remained in 2012 as well.
Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have been registered as well. It was 8 in 2008, 10 in 2009, 21 in 2010, 89 in 2011 and 162 in 2012 - the total of 290 ICS vulnerabilities are stored in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 14 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Looking at the OSS annual transitions in recent years, the ratio of OSS had been on the decrease since 2008, but in 2011, 1,707 OSS vulnerabilities were registered, increasing the ratio of OSS to 40 percent in 2012. One of the reasons behind this increase is that all vulnerability countermeasure information released daily on NVD have been added to the scope of coverage of JVN iPedia. Overall, 41 percent of the vulnerabilities registered are of OSS and 59 percent are of non-OSS.
Figure 15 and 16 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 15 representing OSS vendors and Figure 16 representing non-OSS vendors.
As shown in Figure 15, the registered OSS vendors consist of 86 domestic vendors, 67 foreign vendors with Japan office, and 4,054 foreign vendors without office in Japan; a cumulative total of 4,207 OSS vendors. Similarly, as Figure 16 represents, the total of 4,464 registered non-OSS vendors consist of 173 domestic vendors, 205 foreign vendors with office in Japan, and 4,086 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 4th quarter of 2012 (October - December).
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2009-004384||Jura Internet Connection Kit Denial of Service (DoS) Vulnerability||19,113||10.0||2012/9/25|
|2||JVNDB-2010-004301||Access Control Bypass Vulnerability in xmlrpc.php in WordPress||11,041||6.5||2012/9/19|
|3||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Aache HTTP Server||1,792||4.3||2012/2/1|
|4||JVNDB-2012-000094||Smarty Vulnerable to Cross-Site Scripting||1,786||4.3||2012/10/10|
|5||JVNDB-2012-000088||Safari Vulnerable to Local File Content Disclosure||1,430||4.3||2012/10/23|
|6||JVNDB-2012-000102||Multiple Android Devices Vulnerable to Denial-of-Service (DoS)||1,413||5.4||2012/11/14|
|7||JVNDB-2011-002305||Chosen Plaintext Attack Vulnerability in CBC Mode in SSL/TLS||1,044||4.3||2011/10/4|
|8||JVNDB-2012-000105||Multiple KYOCERA Mobile Devices May Reboot During Email Reception||1,030||7.8||2012/11/30|
|9||JVNDB-2011-002172||Apache HTTPD Server Denial of Service (DoS) Vulnerability||1,015||7.8||2011/9/1|
|10||JVNDB-2012-004723||Denial of Service (DoS) Service Vulnerability in STC Driver in Linux Kernel||800||7.8||2012/10/4|
|11||JVNDB-2012-003247||WordPress Information Disclosure Vulnerability||793||5.0||2012/7/24|
|12||JVNDB-2012-004724||Information Disclosure Vulnerability in net/rds/recv.c in Linux Kernel||791||2.1||2012/10/4|
|13||JVNDB-2012-000012||Apache Struts 2 Vulnerable to an Arbitrary Java Method Execution||741||6.8||2012/2/10|
|14||JVNDB-2012-004866||ISC BIND Denial of Service Vulnerability (named Daemon Hang)||718||7.8||2012/10/12|
|15||JVNDB-2012-000092||MyWebSearch vulnerable to cross-site scripting||672||4.3||2012/10/5|
|16||JVNDB-2009-002319||Vulnerability in SSL/TLS Protocol||668||6.4||2009/12/14|
|17||JVNDB-2012-000093||Tokyo BBS Vulnerable to Cross-Site Scripting||664||4.3||2012/10/26|
|18||JVNDB-2012-000091||jigbrowser+ for Android Vulnerable in the WebView Class||643||2.6||2012/9/28|
|19||JVNDB-2012-000103||Monaca Debugger for Android Information Management Vulnerability||640||2.6||2012/11/16|
|20||JVNDB-2012-004560||Brute-Force Password Attack Vulnerability in Oracle Database||622||6.4||2012/9/25|
|1||JVNDB-2012-005201||Multiple Vulnerabilities in Hitachi JP1/File Transmission Server/FTP||681||9.0||2012/11/5|
|2||JVNDB-2012-005486||Denial of Service (DoS) Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2||421||5.0||2012/11/22|
|3||JVNDB-2012-005485||Hitachi Device Manager Software Denial of Service (DoS) Vulnerability||409||5.0||2012/11/22|
|4||JVNDB-2012-003525||Cross-site Scripting Vulnerability in JP1/Integrated Management - Service Support||281||3.5||2012/8/10|
|5||JVNDB-2008-001647||Jasmine WebLink Template Multiple Vulnerabilities||229||7.5||2008/9/10|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2010 and before||Published in 2011||Published in 2012|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Press Release "Security Alert for Cyberattacks by Targeted Attack Email"
(*5) Common Vulnerability Scoring System (CVSS)
Based on a numeric Base Score, it is evaluated in three levels and the higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of a part of information or to denial of service.
- Level I: Where conditions required to execute an attack are complicated or the threat falls under the Level II, but very unlikely to replicate
(*6) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
(*7) MyJVN Version Checker
(*8) See the press release "MyJVN Version Checker now usable offline"
(*9) Google Play. A distribution and shop service for Android applications by Google. Applications are categorized into the types shown in the following URL:
(*10) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*11) Security Alert for Vulnerability in Control Systems
(*13) Hands-on vulnerability learning and experiencing tool "AppGoat"
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)