Apr. 18, 2013
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 39,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 1st quarter of 2013 (January 1 to March 31, 2013), those gathered from domestic developers are 3 cases (142 cumulative cases from the launch of JVN iPedia), 85 cases from JVN (2,497 cumulative cases), and 1,149 cases from NVD (36,697 cumulative cases), bringing a quarterly total to 1,237 (39,336 cumulative cases). The total number of vulnerability information registered is now over 39,000 (See Table 1-1, Figure 1-1).
As for the English version of JVN iPedia, 3 were gathered from domestic developers (142 cumulative cases) and 30 from JVN (737 cumulative cases), making a quarterly total to 33 cases (879 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||3 cases||142 cases|
|JVN||85 cases||2,497 cases|
|NVD||1,149 cases||36,697 cases|
|Total||1,237 cases||39,336 cases|
|English Version||Domestic Product Developers||3 cases||142 cases|
|JVN||30 cases||737 cases|
|Total||33 cases||879 cases|
To make JVN iPedia more useful for system administrators, IPA is expanding its coverage of vulnerability information registered to JVN iPedia. Currently, all vulnerabilities released on NVD in and after 2007 have been translated into Japanese and are available on JVN iPedia. System administrators can obtain a broader range of vulnerability information in Japanese and make use of them.
Figure 1-2 illustrates the number of vulnerability countermeasure information registered during the 1st quarter of 2013, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 158 cases, CWE-264 (Permissions, Privileges and Access Controls) with 128 cases, CWE-79 (Cross-Site Scripting) with 114 cases, CWE-20 (Improper Input Validation) with 98 cases, CWE-399 (Resource Management Errors) with 94 cases and CWE-200 (Information Leak) with 74 cases.
Most of these are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides guidelines that address these vulnerabilities, such as "Secure Programming Course"(*4), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*5)" to promote secure programming.
Figure 1-3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.
As of March 31, 2013, 45 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 6 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 1-4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. According to the data since 2007, application vulnerabilities account for around 90 percent of the total each year, and this trend is expected to continue in 2013.
Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have been registered as well. As of the 1st quarter, the total of 340 ICS vulnerabilities is registered in JVN iPedia.
Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 1-5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. The total of 15,937 OSS-related vulnerabilities has been registered, and overall, 41 percent of them are OSS and 59 percent are non-OSS.
Figure 1-6-1 and 1-6-2 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia, with Figure 1-6-1 representing OSS vendors and Figure 1-6-2 representing non-OSS vendors.
As shown in Figure 1-6-1, the registered OSS vendors consist of 87 domestic vendors, 68 foreign vendors with Japan office, and 4,088 foreign vendors without office in Japan; a cumulative total of 4,243 OSS vendors. Similarly, as Figure 1-6-2 represents, the total of 4,521 registered non-OSS vendors consist of 180 domestic vendors, 209 foreign vendors with office in Japan, and 4,132 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerabilities registered is in the products of foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or apply security patches, it is necessary to take into account to have contract agreements for support and/or purchase product support services provided by the vendor into account.
~Lots of vulnerabilities in widely-used PC software applications reported. Check and update promptly~
As represented by targeted email attacks, the mainstream attack technique used in cyberattacks that aim to steal confidential information and personal information in recent years is to try to infect the targets with viruses exploiting software vulnerability via files attached to email and any other possible means. In the 10 Major Security Threats 2013(*6), which selected the security threats that had a significant social impact in 2012, the attacks that exploited client software applications have been ranked the top threat.
Especially, vulnerabilities in very popular software such as browsers, document software and execution environments have been aggressively exploited. Figure 2-1-1 shows the annual transitions in the number of vulnerabilities in 8 standard software products widely used on PC. During the 1st quarter of 2013, 292 vulnerabilities in these products have been registered, and compared to the total number of 531 in 2012, the number has reached and passed the half just in 3 months.
JVN iPedia rates each vulnerability according to the CVSS(*7) and publishes its severity level(*8). Figure 2-1-2 shows the severity of vulnerabilities in 8 standard software products widely used on PC. There are 909 vulnerability information related to Mozilla Firefox and 646 related to Microsoft Internet Explorer and 827 related to 3 Adobe products (Reader, Acrobat, Flash Player). When focusing on the severity, 65 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 32 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were level I ("Low", CVSS Base Score = 0.0-3.9). The most severe level III vulnerabilities account for about two-thirds of the total.
The vulnerabilities with high severity have been reported. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
IPA offers a free tool "MyJVN Version Checker(*9)" that enables IT users to easily check if software applications installed in their PC are the latest version. IPA also offers its command line interface as well (*10) for system administrators to check the multiple PCs automatically.
~Check security alerts every day!~
IPA selects security issues that would affect a number of users and publishes information about the issues and countermeasures as "security alerts(*11)". Table 2-2 is the list of the security alerts issued in this quarter. During 3 months from January to March 2013, IPA published 17 security alerts: 8 "urgent-level" alerts, which are for the vulnerabilities that exploits against them have been confirmed, and 9 "warning-level" alerts, which are for those that exploits have not been confirmed but expected. Compared to 2012 4Q (October - December) during which only 4 security alerts were issued, it is more than 4 times.
|2013/1/9||Warning||Security Alert for Adobe Reader and Acrobat
|2013/1/9||Warning||Security Alert for Adobe Flash Player (APSB13-01)(CVE-2013-0630)|
|2013/1/15||Urgent||Security Alert for Oracle Java (CVE-2013-0422)|
|2013/1/15||Urgent||Security Alert for Internet Explorer (MS13-008)(CVE-2012-4792)|
|2013/2/4||Urgent||Security Alert for Oracle Java (CVE-2013-0437 etc.)|
|2013/2/8||Urgent||Security Alert for Adobe Flash Player (APSB13-04)(CVE-2013-0633 etc.)|
|2013/2/13||Urgent||Security Alert for Internet Explorer (MS13-010)(CVE-2013-0030)|
|2013/2/13||Warning||Security Alert for Adobe Flash Player (APSB13-05)(CVE-2013-1372 etc.)|
|2013/2/20||Warning||Security Alert for Oracle Java (CVE-2013-1487 etc.)|
|2013/2/21||Urgent||Security Alert for Adobe Reader and Acrobat
|2013/2/21||Warning||Security Alert for NEC Corporation Universal RAID Utility|
|2013/2/26||Warning||Security Alert for Multiple JustSystems Products|
|2013/2/27||Urgent||Security Alert for Adobe Flash Player (APSB13-08)(CVE-2013-0643 etc.)|
|2013/3/5||Urgent||Security Alert for Oracle Java (CVE-2013-1493)|
|2013/3/7||Warning||Security Alert for Multiple Cisco Switches|
|2013/3/13||Warning||Security Alert for Adobe Flash Player (APSB13-09)(CVE-2013-0646 etc.)|
|2013/3/28||Warning||Security Alert for DNS Server BIND (CVE-2013-2266)|
|2013/3/28||Warning||Security Alert for Adobe Reader and Acrobat
Among the sexurity alerts issued in 2013 1Q, 5 are about Adobe Flash Player and 4 are about Java programs by Oracle, such as JDK (Java Development Kit) and JRE (Java Runtime Environment), and these account for about the half.
The number of reported vulnerability in Adobe Flash Player, JDK and JRE has been increasing year by year. Figure 2-2 shows the annual transitions in the number of Adobe Flash Player, JDK and JRE vulnerabilities registered to JVN iPedia. In just 2013 1Q alone, 134 vulnerabilities have been registered for these 3 products. It is more than two-third of the total number of vulnerabilities in 2012, meaning it's sharply increasing.
As for the software applications like Adobe Flash Player, JDK and JRE, the users should not only know this increasing trend and keep updating them, but also think about other security measures including uninstalling them, if they are not neccessary.
~Vulnerabilities in industrial control system have been increasing year by year~
In recent years, vulnerabilities in software used in industrial control systems (ICS) like monitoring systems used in facilities, such as production plants, have been increasing drastically.
Figure 2-3-1 shows the number and severity of the ICS vulnerabilities registered to JVN iPedia. So far in 2013, among 46 ICS vulnerabilities registered, the severest level III vulnerabilities account for over the half, 24, following the increasing tendency seen in the past years.
Figure 2-3-2 and 2-3-3 show the severity of vulnerabilities among the ICS software and across all software, respectively. As for the ICS software, 63 percent of the vulnerabilities were labeled as the level III ("High", CVSS Base Score = 7.0-10.0), 36 percent were the level ll ("Medium", CVSS Base Score = 4.0-6.9) and 1 percent were the level I ("Low", CVSS Base Score = 0.0-3.9). This is high compared with all software.
Figure 2-3-4 illustrates the number of vulnerability countermeasure information sorted by their vulnerability type using CWE(*12). CWE-119 (Buffer Errors) that may pose serious threats like arbitrary code execution is 102 and more than 3 times the numbers of CWE-22 (Path Traversal) and others.
The ICS users should check on vulnerability information regularly, and if vulnerability is found in a product they use, ask its vendor or retailer if there is a fix, like an updated version, and take necessary action promptly. If they cannot take action immediately for some reasons, evaluate the environment, such as networks in which the vulnerable industrial control system operates and risks it faces, and consider how to mitigate the risks and/or take alternative measures(*13).
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 1st quarter of 2013 (January - March).
Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2013-001027||Vulnerability in Oracle Java 7||5,081||10.0||2013/1/11|
|2||JVNDB-2013-001912||Denial of Service (DoS) Vulnerability in Rehash Mechanism in Perl||2,411||7.5||2013/3/21|
|3||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server||1,867||4.3||2012/2/1|
|4||JVNDB-2013-000012||NEC Universal RAID Utility fails to restrict access permissions||1,668||9.0||2013/2/21|
|5||JVNDB-2013-001019||Multiple Vulnerabilities in Ruby on Rails||1,568||7.5||2013/1/10|
|6||JVNDB-2013-000017||Multiple Cisco products vulnerable to denial-of-service (DoS)||1,464||7.8||2013/3/7|
|7||JVNDB-2013-001237||Eval Injection and SQL Injection Vulnerability in mt-upgrade.cgi in Movable Type||1,290||7.5||2013/1/24|
|8||JVNDB-2012-005828||Internet Explorer Arbitrary Code Execution Vulnerability||1,210||9.3||2013/1/4|
|9||JVNDB-2013-001460||Distinguishing and Plaintext-Recovering Attack Vulnerability in TLS Protocol and DTLS Protocol||1,071||2.6||2013/2/13|
|10||JVNDB-2011-002172||Apache HTTPD Server Denial of Service (DoS) Vulnerability||1,046||7.8||2011/9/1|
|11||JVNDB-2011-002110||Samba Web Administration Tool vulnerable to cross-site request forgery||1,006||4.0||2011/8/18|
|12||JVNDB-2013-000015||Multiple JustSystems products vulnerable to arbitrary code execution||971||6.8||2013/2/26|
|13||JVNDB-2013-000005||Weathernews Touch for Android stores location information in the system log file||915||2.6||2013/1/31|
|14||JVNDB-2011-002305||Chosen Plaintext Attack Vulnerability in CBC Mode in SSL/TLS||898||4.3||2011/10/4|
|15||JVNDB-2013-000008||Cybozu Garoon vulnerable to cross-site scripting||855||2.6||2013/2/8|
|16||JVNDB-2013-001056||Oracle Java SE Arbitrary Code Execution Vulnerability||846||10.0||2013/1/15|
|17||JVNDB-2013-000007||Cybozu Garoon vulnerable to SQL injection||803||6.5||2013/2/8|
|18||JVNDB-2012-000113||concrete5 vulnerable to cross-site scripting||802||2.6||2012/12/21|
|19||JVNDB-2009-002319||Vulnerability in SSL/TLS Protocol||792||6.4||2009/12/14|
|20||JVNDB-2012-000115||Loctouch for Android information management vulnerability||789||2.6||2012/12/21|
|1||JVNDB-2012-005827||Cross-site Scripting Vulnerability in Collaboration - Bulletin board in Multiple Hitachi Products||768||4.3||2012/12/28|
|2||JVNDB-2013-001605||Multiple vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management||515||9.0||2013/2/20|
|3||JVNDB-2013-001321||User Authentication Vulnerability in Operational Management Function of Cosminexus||457||6.8||2013/1/31|
|4||JVNDB-2013-001470||Accela BizSearch Gateway Option for TeamWARE Spoofing Vulnerability||388||6.8||2013/2/13|
|5||JVNDB-2012-005486||Denial of Service (DoS) Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2||321||5.0||2012/11/22|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2011 and before||Published in 2012||Published in 2013|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*5) Hands-on vulnerability learning and experiencing tool "AppGoat"
(*6) Press Release: 10 Major Security Threats - They Are About To Get You
(*7) Common Vulnerability Scoring System (CVSS)
Based on a numeric Base Score, it is evaluated in three levels and the higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of a part of information or to denial of service.
- Level I: Where conditions required to execute an attack are complicated or the threat falls under the Level II, but very unlikely to replicate
(*8) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
(*9) MyJVN Version Checker
(*10) See the press release "MyJVN Version Checker now usable offline"
(*11) About IPA Security Alerts
(*12) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*13) Security Alert for Vulnerability in Control Systems
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)