Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2013 3rd Quarter (Jul. - Sep.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2013 3rd Quarter (Jul. - Sep.)]

Nov. 8, 2013
IT Security Center

1. 2013 3rd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1.1. Vulnerabilities Registered in 2013 3Q

~Vulnerability information stored in JVN iPedia is now over 41,000~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2013 (July 1 to September 30, 2013) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 41,000 (See Table 1-1, Figure 1-1).

As for the English version, the total of 949 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2013
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 2 cases 149 cases
JVN 130 cases 2,755 cases
NVD 1,148 cases 38,912 cases
Total 1,280 cases 41,816 cases
English Version Domestic Product Developers 2 cases 149 cases
JVN 26 cases 800 cases
Total 28 cases 949 cases

1.2. Hot Topic #1: Software Often Used to Hack Websites

~Vulnerabilities in Content Management Systems account for 96 percent (1,669)!~

Unauthorized modification of websites have been sharply increasing this year. IPA issued a security alert(*4) in September 2013 to warn the users of the danger. One of the factors that facilitate attacks on the websites is that the users keep using the old-version of software applications and the attackers are actively exploiting the vulnerabilities in them.

The software applications that are often exploited include the web application frameworks(*5) and middleware(*6), such as Apache Struts and Parallels Plesk Panel, and content management systems (CMS)(*7) such as WordPress, Drupal and Joomla. A lot of vulnerabilities have been reported with these software applications.

The figure 1-2-1 illustrates the registration status of some software applications that are "often exploited" in the website attacks. With them, 1,879 vulnerabilities have been reported in total and in 2013, 155 vulnerabilities have been reported so far as of the end of September. Looking at them individually, the number of reports for Joomla! has been decreasing since its peak in 2010 while WordPress and Drupal account for the most of the vulnerabilities reported this year.

JVN iPedia rates each vulnerability according to the CVSS(*8) and publishes its severity level. Figure 1-2-2 shows the ratio of the severity of the vulnerabilities in the specific software applications addressed in the figure 1-2-1. Among them, 688 vulnerabilities were labeled level III ("High"), 981 were labeled level ll ("Medium") and 210 were level I ("Low"). The number of the vulnerabilities with high severity (more than level II), such as those that may lead to service outage, was 1,669 out of 1,879 (about 89 percent). Especially, CMS software such as WordPress, Drupal, Joomla!, Movable Type and XOOPS, accounted for 96 percent of those often-exploited vulnerabilities (1,807 out of 1,879), and the number of the severest Level III vulnerability among them was 660 out of 1,807 (36 percent).

In JVN iPedia, a lot of highly serious vulnerabilities that have been exploited in the real attacks are registered. It is essential for IT users to check on vulnerability information on a daily basis, and update and/or apply security patches as soon as possible.

1.3. Hot Topic #2: Software Vulnerabilities in Critical Systems

~A case study: Vulnerability in emergency alert system of Montana TV & radio network hacked~

In February 2013, there was a happening that an emergency alert system of a Montana television and radio network in the U.S. broadcasted an emergency alert warning the attack by Zombies. It was later revealed that someone exploited the vulnerabilities in DASDEC, a system used to receive and process the alerts. These vulnerabilities are available to read in JVN iPedia as well (Table 1-2.).

Table 1-2. Vulnerabilities in DASDEC
ID (JVN iPedia) Title CVSS
(Base Score)
JVNDB-2013-003170 Compromised root SSH key in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS 10.0
JVNDB-2013-003171 Log information disclosure in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS 7.8
JVNDB-2013-003172 Predictable password generation in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS 7.5
JVNDB-2013-003173 Default password in Digital Alert Systems DASDEC EAS and Monroe Electronics R189 One-Net EAS 10.0

Fortunately, this incident caused little trouble, but in a worst case scenario, the attacker could have used the emergency alert system and caused a serious social chaos. The attacks known so far are mostly against information systems, but this is beginning to change and spreading into software and systems in other fields, like industrial systems and embedded systems. Especially, vulnerability reports for industrial control systems (ICS) used in industrial operations, such as production lines in plant, have been increasing since 2011. Figure 1-3-1 shows the number and severity of the reported software vulnerabilities in industrial control systems. As of the end of September, 413 vulnerabilities have been reported. In 2013, the number of ICS vulnerabilities with the highest severity, level III, are 66 out of 108 (about 61 percent), keeping its trend seen in the past years.

JVN iPedia provides the vulnerability information about not only information system software, such as OS, document software and web server software widely used on PC and servers, but also provides the vulnerabilities in critical system software used in social infrastructure.

2. Categorization of JVN iPedia Registered Data

2.1. Type of Vulnerabilities Registered

Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter of 2013, sorted by their vulnerability type using CWE(*9).

The types of vulnerabilities that have been reported most during this quarter are: CWE-119 (Buffer Errors) with 217 cases, CWE-79 (Cross-Site Scripting) with 187 cases, CWE-264 (Permissions, Privileges and Access Controls) with 130 cases, CWE-20 (Improper Input Validation) with 115 cases, CWE-399 (Resource Management Errors) with 58 cases and CWE-94 (Code Injection) with 54 cases.

Most of them are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides the guidelines that address these vulnerabilities, such as "Secure Programming Course"(*10), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat(*11)" to promote secure programming.

2.2. Severity of Vulnerabilities Registered

Figure 2-2 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of September 30, 2013, 44 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 7 percent were level I ("Low", CVSS Base Score = 0.0-3.9).

The severity of 93 percent of known vulnerabilities was level II or higher. To avoid threats from known vulnerabilities, it is essential for IT users to update and apply security patches as soon as possible.

2.3. Type of Products Reported for Having Vulnerability

Figure 2-3 shows the annual transitions in the type of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 86 percent of the total.

Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have started to be added. It was 8 vulnerabilities in 2008, 10 in 2009, 21 in 2010, 93 in 2011, 173 in 2012, and 108 as of the end of September in 2013. The total number is 413 and the number has been increasing since 2011.

2.4. Open Source Software

Figure 2-4 shows the annual transitions in the registered vulnerabilities found in open source software (OSS) and non-OSS software based on the date they were first published. The total of 16,670 OSS vulnerabilities have been registered. One of the reasons that the number of non-OSS vulnerabilities registered seems higher than before after 2007 is because all the NVD data released in and after 2007 have been added. Overall, 40 percent of them are OSS and 60 percent are non-OSS.

2.5. Product Vendors

Figure 2-5-1 and 2-5-2 show the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia as of September 30. The vendors are categorized into either domestic vendors, overseas vendors with Japan office, or overseas vendors without Japan office.

As seen in the graphs, the vendors without Japan office account for the most. As for OSS vendors, the overseas vendors without Japan office account for 96.3 percent, and as for non-OSS vendors, it is 91.4 percent. You can see that JVN iPedia offers a vast amount of vulnerability information on the products developed by the overseas vendors that do not have an office or base in Japan in Japanese.

The positive aspects of using OSS software are that it is free and a wide choice of software is available. But on the other hand, there is a possibility that the OSS vendors do not offer a sufficient support. If the users do not have a proper knowledge such as how to apply security patches, they should carefully think about pros and cons of using OSS software.

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 3rd quarter of 2013 (July - September).

Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2013 ? Sep. 2013]
# ID Title CVSS
1 JVNDB-2013-003253 Android Arbitrary Code Execution Vulnerability 9.3 2013/7/11
2 JVNDB-2013-000085 VMware ESX and ESXi Vulnerable to Buffer Overflow 7.5 2013/9/6
3 JVNDB-2012-000051 Logitec LAN-W300N/R Series Fails to Restrict Access Permissions 7.5 2012/5/25
4 JVNDB-2012-001258 HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server 4.3 2012/2/1
5 JVNDB-2013-003469 Apache Struts Vulnerable to Remote Command Execution 7.5 2013/7/23
6 JVNDB-2013-000084 VMware ESX and ESXi Vulnerable to Directory Traversal 6.4 2013/9/6
7 JVNDB-2013-000076 JP1/IT Desktop Management - Manager and Hitachi IT Operations Director Vulnerable to Privilege Escalation 5.5 2013/7/29
8 JVNDB-2013-000070 Oracle Outside in Vulnerable to Buffer Overflow 7.5 2013/7/17
9 JVNDB-2013-000072 JBoss RichFaces Vulnerable to Remote Code Execution 6.8 2013/7/19
10 JVNDB-2013-000087 Multiple Broadband Routers May Behave as Open Resolvers 5.0 2013/9/19
11 JVNDB-2013-002948 Arbitrary Command Execution Vulnerability in mod_rewrite Module in Apache HTTP Server 5.1 2013/6/12
12 JVNDB-2013-003349 Denial of Service (DoS) Vulnerability in ext/xml/xml.c in PHP 6.8 2013/7/16
13 JVNDB-2012-002110 WordPress Vulnerable to Cross-Site Scripting 4.3 2012/4/24
14 JVNDB-2013-003320 Denial of Service (DoS) Vulnerability in mod_dav.c in Apache HTTP Server 4.3 2013/7/12
15 JVNDB-2013-000069 Cybozu Office Session Management Vulnerability 4.0 2013/7/16
16 JVNDB-2013-000075 docomo Overseas Usage Application Vulnerability in the Connection Process 3.3 2013/8/7
17 JVNDB-2011-001638 Denial of Service (DoS) Vulnerability in apr_fnmatch.c and fnmatch.c used in Apache Portable Runtime Library 4.3 2011/5/27
18 JVNDB-2013-003441 Apache Struts Arbitrary OGNL Code Execution Vulnerability 9.3 2013/7/19
19 JVNDB-2013-000062 EC-CUBE Vulnerable to Code Injection 7.5 2013/6/27
20 JVNDB-2013-000068 AQUOS PhotoPlayer HN-PP150 Vulnerable to Denial-of-Service (DoS) 5.0 2013/7/11
Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information from Domestic Developers [Jul. 2013 - Sep. 2013]
# ID Title CVSS
1 JVNDB-2013-003073 Vulnerability in JP1/HIBUN Advanced Edition Information Cypher Removable Media Encryption 1.2 2013/6/19
2 JVNDB-2013-003074 Cross-site Scripting Vulnerability in Hitachi Command Suite Products 4.3 2013/6/19
3 JVNDB-2013-002796 Arbitrary Commands Execution Vulnerability in JP1/Integrated Management - TELstaff Alarm View 10.0 2013/5/24
4 JVNDB-2013-002770 Cross-site Scripting Vulnerability in JP1/Automatic Operation 4.3 2013/5/21
5 JVNDB-2013-002427 Buffer Overflow Vulnerability in Hitachi IT Operations Director 10.0 2013/4/23

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score
= 0.0~3.9
Severity Level = I (Low)
CVSS Base Score
= 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score
= 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2011 and before Published in 2012 Published in 2013


(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database. A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) (Security Alert released on Sep. 6, 2013) (in Japanese)

(*5) A software framework that supports the development of websites, applications and services.

(*6) Software that provides interoperability between operating systems and applications.

(*7) Content Management Systems. Software that supports the development and management of websites.

(*8) Common Vulnerability Scoring System (CVSS) (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen

(*9) Common Weakness Enumeration. (in Japanese)

(*10) (in Japanese)

(*11) Hands-on vulnerability learning and experiencing tool "AppGoat" (in Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)