Aug. 9, 2013
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 40,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 2nd quarter of 2013 (April 1 to June 30, 2013), those gathered from domestic software developers are 5 cases (147 cumulative cases since the launch of JVN iPedia), 128 cases from JVN (2,625 cumulative cases), and 1,067 cases from NVD (37,764 cumulative cases), bringing a quarterly total to 1,200 (40,536 cumulative cases). The total number of vulnerability information registered to JVN iPedia is now over 40,000 (See Table 1-1, Figure 1-1).
As for the English version of JVN iPedia, 5 were gathered from domestic software developers (147 cumulative cases) and 37 from JVN (774 cumulative cases), bringing a quarterly total to 42 cases (921 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||5 cases||147 cases|
|JVN||128 cases||2,625 cases|
|NVD||1,067 cases||37,764 cases|
|Total||1,200 cases||40,536 cases|
|English Version||Domestic Product Developers||5 cases||147 cases|
|JVN||37 cases||774 cases|
|Total||42 cases||921 cases|
To enable the system administrators to acquire vulnerability countermeasure information about various products used in Japan and make JVN iPedia more useful for them, all vulnerabilities released on NVD in and after 2007 have been translated into Japanese and are now available on JVN iPedia.
~Vulnerability in CMS (Content Management System) is exploited to modify websites~
Unauthorized modification of websites of corporations and public organizations is constantly happening and increasing. IPA encourages the administrators to be cautious through "This Month's Key Topic(*4)" for June 2013, with the theme: "Take actions to protect your website from being modified!". The figure 1-2-1 illustrates the registration status of the software vulnerabilities introduced as "often exploited vulnerabilities" in "This Month's Key Topic". Vulnerabilities in CMS (Content Management System(*5)) such as Joomla! and WordPress, Apache Struts, Parallels Plesk Panel and those often installed with Parallel Plesk Panel such as MySQL, BIND and phpMyAdmin have been published around 200 per year since 2007. In 2013, there has been 101 so far as of the end of June.
JVN iPedia rates each vulnerability according to the CVSS(*6) and publishes its severity level(*7). Figure 1-2-2 shows the ratio of the severity of vulnerabilities in software products addressed in the figure 1-2-1. When focusing on the severity, 43 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 52 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 5 percent were level I ("Low", CVSS Base Score = 0.0-3.9). The situation where the vulnerabilities with high severity (more than level II) account over 90 percent is the same as previous quarter. Especially, as for Joomla!, 462 out of 724 (64 percent) are the level III, which means that a greater number of highly serious vulnerabilities are reported compared to other software.
In JVN iPedia, a lot of highly serious vulnerabilities that have been exploited in the real attacks are registered, including the CMS vulnerabilities used for unauthorized modification of the websites. It is essential for IT users to check on vulnerability information on a daily basis, and update and apply security patches without delay.
~Microsoft support for Windows XP will be terminated on April 9, 2014~
As Microsoft will end their support for Windows XP on April 9, 2014, according to a survey data from private firm(*8), approximately 30 percent of PCs that are connected to the Internet are using Windows XP as of the end of March 2013.
Figure 1-3 shows the severity of the vulnerabilities in Windows XP that are registered in JVN iPedia. The ratio of the severity is: 71 percent were labeled level III ("High", CVSS Base Score = 7.0-10.0), 26 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were level I ("Low", CVSS Base Score = 0.0-3.9). 97 percent of known vulnerabilities were over level II, thus there could be a high possibility that critical services will be interrupted when they are exploited in attacks.
For out-of-support software, there is a high possibility that security patch will not be provided by the vendor. Thus, the users should consider to switch to the products with which the support is available as soon as possible, including free software.
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 2nd quarter of 2013, sorted by their vulnerability type using CWE(*9).
The types of vulnerabilities that have been reported most during this quarter are: CWE-119 (Buffer Errors) with 194 cases, CWE-79 (Cross-Site Scripting) with 130 cases, CWE-264 (Permissions, Privileges and Access Controls) with 114 cases, CWE-20 (Improper Input Validation) with 96 cases, CWE-399 (Resource Management Errors) with 82 cases and CWE-200 (Information Leak) with 55 cases.
Most of them are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides guidelines that address these vulnerabilities, such as "Secure Programming Course"(*10), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*11)" to promote secure programming.
Figure 2-2 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of June 30, 2013, 45 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 6 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
The severity of 94 percent of known vulnerabilities was over level II. To avoid threats from known vulnerabilities, it is essential for IT users to update and apply security patches without delay.
Figure 2-3 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 87 percent of the total.
Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have been added. As of the 2nd quarter, the cumulative cases of 388 ICS vulnerabilities are registered in JVN iPedia, and in 2013 alone, 83 vulnerabilities have been registered as of June.
It is essential for IT users to update and apply security patches without delay.
Figure 2-4 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS software based on the date they were first published. The total of 16,284 OSS-related vulnerabilities have been registered. One of the reasons that the number of vulnerabilities registered after 2007 is much more than those registered before 2006 is because all the NVD data released in and after 2007 have been added. Overall, 40 percent of them are OSS and 60 percent are non-OSS.
Figure 2-5-1 and 2-5-2 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia. Each of OSS and non-OSS vendors are categorized into domestic vendors, overseas vendors with Japan office, or overseas vendors without Japan office.
As seen in the graphs, the vendors without Japan office account for the most. As for OSS vendors, the overseas vendors without Japan office accounts for 96.4 percent, and as for non-OSS vendors, they account for 91.3 percent. You can see that JVN iPedia offers a vast amount of vulnerability information on the products developed by the overseas vendors that do not have an office or base in Japan.
When using OSS products, a positive side is that they are easy to use. But on the other hand, there is a possibility that the OSS vendors do not offer a sufficient support. If the users do not have a proper knowledge such as how to apply security patches, they should carefully think about pros and cons of using OSS products.
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 2nd quarter of 2013 (April - June).
Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2007-003445||Password Hash Download Vulnerability in Thomas R. Pasawicz HyperBook Guestbook||5.0||2012/9/25|
|2||JVNDB-2013-000016||Kingsoft Writer vulnerable to buffer overflow||6.8||2013/3/1|
|3||JVNDB-2013-000053||Internet Explorer vulnerable to information disclosure||2.6||2013/6/7|
|4||JVNDB-2012-000012||Apache Struts 2 vulnerable to an arbitrary Java method execution||6.8||2012/2/10|
|5||JVNDB-2013-000058||Ichitaro series vulnerable to arbitrary code execution||9.3||2013/6/18|
|6||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server||4.3||2012/2/1|
|7||JVNDB-2013-000031||Active! mail vulnerable to information disclosure||2.1||2013/4/4|
|8||JVNDB-2013-002656||Privilege Acquisition Vulnerability in kernel/events/core.c in Linux Kernel||7.2||2013/5/15|
|9||JVNDB-2013-000034||Multiple Cyboze products vulnerable to cross-site request forgery||2.6||2013/4/15|
|10||JVNDB-2013-000025||OpenWnn for Android vulnerable to information disclosure||2.6||2013/3/29|
|11||JVNDB-2013-000037||Yahoo! Browser vulnerable to address bar spoofing||4.3||2013/4/26|
|12||JVNDB-2013-001695||Cross-site scripting Vulnerability in Apache HTTP Server||4.3||2013/2/27|
|13||JVNDB-2013-002950||OS command injection Vulnerability in HP System Management Homepage||9.0||2013/6/13|
|14||JVNDB-2013-001912||Denial of service (DoS) vulnerability in hash value recalculation in Perl||7.5||2013/3/21|
|15||JVNDB-2013-000043||EC-CUBE fails to restrict access permissions||6.4||2013/5/23|
|16||JVNDB-2013-002545||Arbitrary Code Execution Vulnerability in Internet Explorer 8||9.3||2013/5/7|
|17||JVNDB-2009-000013||PEAK XOOPS piCal cross-site scripting vulnerability||4.3||2009/2/25|
|18||JVNDB-2013-000033||Sleipnir Mobile for Android loads arbitrary Extension API||4.0||2013/4/12|
|19||JVNDB-2013-000032||Sleipnir for Windows vulnerable to address bar spoofing||4.3||2013/4/11|
|20||JVNDB-2013-000029||Simeji vulnerable to information disclosure||2.6||2013/3/26|
|1||JVNDB-2013-001605||Multiple vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management||9.0||2013/2/20|
|2||JVNDB-2013-001321||User Authentication Vulnerability in Operational Management Function of Cosminexus||6.8||2013/1/31|
|3||JVNDB-2013-001470||Accela BizSearch Gateway Option for TeamWARE Spoofing Vulnerability||6.8||2013/2/13|
|4||JVNDB-2012-005827||Cross-site Scripting Vulnerability in Collaboration - Bulletin board in Multiple Hitachi Products||4.3||2012/12/28|
|5||JVNDB-2008-001313||JP1/Cm2/Network Node Manager Denial of Service Vulnerability||5.0||2008/5/9|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2011 and before||Published in 2012||Published in 2013|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) "This Month's Key Topic". A security information IPA publishes every month. In June 2013, "Take actions to protect your website from being modified!" was published.
http://www.ipa.go.jp/security/txt/2013/06outline.html (in Japanese)
(*6) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
Based on a numeric Base Score, it is evaluated in three levels and the higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of a part of information or to denial of service.
- Level I: Where conditions required to execute an attack are complicated or the threat falls under the Level II, but very unlikely to replicate
(*7) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*8) Just Systems, "Mobile & Social Media Monthly fixed-point Survey."
https://www.fast-ask.com/report/report-monthly-20130410.html (in Japanese)
(*9) Common Weakness Enumeration.
http://www.ipa.go.jp/security/vuln/CWE.html (in Japanese)
(*11) Hands-on vulnerability learning and experiencing tool "AppGoat"
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)