Feb. 14, 2014
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 43,000~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2013 (October 1 to December 31, 2013) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 43,000 (See Table 1-1, Figure 1-1).
As for the English version, the total of 987 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||4 cases||153 cases|
|JVN||116 cases||2,871 cases|
|NVD||1,435 cases||40,347 cases|
|Total||1,555 cases||43,371 cases|
|English Version||Domestic Product Developers||4 cases||153 cases|
|JVN||34 cases||834 cases|
|Total||38 cases||987 cases|
These days, smartphones have been becoming rapidly widespread, and vendors and individuals are scrambling to develop smartphone applications. As Android increases its share on the smartphone market for the last few years, the number of Android vulnerabilities registered to JVN iPedia is also on the steep rise.
Figure 1-2-1 shows the Android vulnerabilities registered to JVN iPedia, categorized by whether they are OS or application vulnerabilities. Of the total of 187, 133 are Android application vulnerabilities, which account for 71 percent.
Figure 1-2-2 shows the CVSS(*4)severity of the aforementioned 133 Android application vulnerabilities, divided into 6 categories from Google Play’s 26 categories(*5). Out of 133 vulnerabilities, 79 are in communication applications such as browsers and mailers and social applications for social networking, which account for 59 percent. The users of these applications need to realize if they keep using the old vulnerable versions, sensitive data like message contents, communication history and address book may be stolen.p class="imageCenter">
Figure 1-2-3 shows the CWE(*6) types of the Android application vulnerabilities. As guessable from the incidents where sensitive data handled by applications are accessed and/or modified, CWE-264 (Permissions, Privileges and Access Controls) is standing out with 32 vulnerabilities, followed by CWE-200 (Information Exposure) with 9. This indicates the types of vulnerabilities that can be used to steal sensitive data have been reported and registered a lot.p class="imageCenter">
Not limited to Android devices, any devices that store sensitive personal information, such as smartphones, must be protected from vulnerability exploitation just like PCs. If using the old vulnerable versions of applications, the users should update them immediately. At the same time, the application developers should proactively practice secure coding to avoid built-in vulnerabilities and develop safe applications.
~Compared to the ratio among overall vulnerabilities, the severity of ICS vulnerabilities tends to be higher~
The number of vulnerabilities in ICS software used in production plants and such has increased dramatically for the past few years. In 2013, 131 ICS vulnerabilities have been registered. Figure 1-3-1 shows the number and severity of ICS vulnerabilities stored in JVN iPedia. As of the 4th Quarter, the cumulative total since the launch of JVN iPedia is 437. Out of 131 vulnerabilities registered in 2013, 80 are level lll, which account for more than 60 percent.p class="imageCenter">
Figure 1-3-2 and 1-3-3 show the severity of vulnerabilities in the ICS software and across all software, respectively. As for the ICS software, 61 percent of the vulnerabilities are level III (“High”, CVSS Base Score = 7.0-10.0), 37 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 2 percent were level I (“Low”, CVSS Base Score = 0.0-3.9). It is clear that the number of Level lll vulnerabilities is quite high compared to that of all software.p class="imageCenter">
Figure 1-3-4 shows the CWE types of ICS vulnerabilities. The number of CWE-119 (Buffer Errors) vulnerabilities that may pose a serious threat like arbitrary code execution are 122, which account for about 30 percent of the total.p class="imageCenter">
The ICS operators should check on vulnerability information regularly, and if a vulnerability is found in a product they use, ask its vendor or retailer if there is a solution, like an updated version, and take necessary action promptly. If they cannot take action immediately for some reasons, evaluate the system environment, such as network environment in which the vulnerable industrial control system operates and risks it faces, and consider what can be done to reduce the risks and mitigate the threats(*7).
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 4th quarter of 2013, sorted by their vulnerability type using CWE.
The type of the vulnerability that has been reported most during this quarter is CWE-264 (Permissions, Privileges and Access Controls) with 192 cases, followed by CWE-119 (Buffer Errors) with 182 cases, CWE-20 (Improper Input Validation) with 174 cases, CWE-79 (Cross-Site Scripting) with 169 cases.
Most of them are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides the guidelines that address these vulnerabilities, such as “Secure Programming Course”(*8) , and also offers a hands-on vulnerability learning and experiencing tool “AppGoat(*9) to promote secure programming.p class="imageCenter">
Figure 2-2 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of December 31, 2013, 44 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 49 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats high enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update and apply security patches as soon as possible upon their release.p class="imageCenter">
Figure 2-3 shows the annual transitions in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.
Since about 2008, the vulnerabilities in ICS used in critical infrastructures have started to be added. As of the end of December 2013, the total of 437 vulnerabilities has been registered.p class="imageCenter">
Figure 2-4 shows the annual transitions in the registered vulnerabilities found in open source software (OSS) and non-OSS software based on the date they were first published. In total, 17,228 OSS vulnerabilities and 26,143 non-OSS vulnerabilities have been registered. One of the reasons that the number of non-OSS vulnerabilities registered seems higher than before after 2007 is because all the NVD data released in and after 2007 have been added to JVN iPedia. Overall, 40 percent of them are OSS and 60 percent are non-OSS.p class="imageCenter">
Figure 2-5-1 and 2-5-2 show the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia as of December 31, 2013. The vendors are categorized into either domestic vendors, overseas vendors with Japan office, or overseas vendors without Japan office.
As seen in the figures, the vendors without Japan office account for the most. As for OSS vendors, the overseas vendors without Japan office account for 96.4 percent, and as for non-OSS vendors, it is 91.3 percent. You can see that more than 90 percent of the vulnerability information are about the products developed by overseas vendors without Japan office.
The positive aspects of using OSS software are that it is free and easily available for use. On the other hand, there is a possibility that the OSS vendors do not offer a necessary support to use it safely. If IT users use OSS products, it is important for them to prepare to have a capability where they can implement necessary security measures, such as applying patches, by themselves.p class="imageCenter">
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 4th quarter of 2013 (October – December). No. 1 was an Android OS vulnerability. Also, the vulnerabilities in server software used to build websites, such as Apache HTTP Server (No.4, 6, 17) and Apache Struts 2 (No. 9, 11), were accessed a lot.
Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers. The severity of all top 5 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause a service outage in high probability if attacked have attracted attention.
|1||JVNDB-2013-000111||Android OS vulnerable to arbitrary Java method execution||6.8||2013/12/17|
|2||JVNDB-2013-004553||Arbitrary code execution vulnerability in kernel mode driver in multiple Microsoft products||9.3||2013/10/10|
|3||JVNDB-2013-000103||Ichitaro series vulnerable to arbitrary code execution||9.3||2013/11/12|
|4||JVNDB-2013-002948||Arbitrary command execution vulnerability in mod_rewite module in Apache HTTP Server||5.1||2013/6/12|
|5||JVNDB-2013-004456||Cross-site request forgery vulnerability in multiple SONY network camera products||6.8||2013/10/4|
|6||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server||4.3||2012/2/1|
|7||JVNDB-2013-004826||Denial of Service (DoS) Vulnerability in Node.js in HTTP Server||5.0||2013/10/23|
|8||JVNDB-2013-004911||Using nginx in default settings allows attacker to obtain sensitive information||7.5||2013/10/29|
|9||JVNDB-2013-003469||Apache Struts vulnerable to remote command execution||7.5||2013/7/23|
|10||JVNDB-2011-002305||SSL and TLS allow chosen plaintext attack in CBC modes||4.3||2011/10/4|
|11||JVNDB-2013-004372||Apache Struts Vulnerability||10.0||2013/10/2|
|12||JVNDB-2013-000119||Juniper ScreenOS vulnerable to denial-of-service (DoS)||7.8||2013/12/13|
|13||JVNDB-2013-004446||Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)||7.5||2013/10/3|
|14||JVNDB-2013-000093||Internet Explorer vulnerable to arbitrary code execution||6.8||2013/9/19|
|15||JVNDB-2013-000094||Accela BizSearch vulnerable to cross-site scripting||4.3||2013/10/4|
|16||JVNDB-2013-000095||HDL-A and HDL2-A Series vulnerable in session management||4.0||2013/10/18|
|17||JVNDB-2011-002172||Apache HTTPD Server denial of service vulnerability||7.8||2011/9/1|
|18||JVNDB-2013-005095||Vulnerability in Tweetbot used in multiple Apple products automatically forces to execute unrequired actions for users||6.8||2013/11/14|
|19||JVNDB-2013-005585||Arbitrary code execution vulnerability in the asn1_time_to_time_t function in ext/openssl/openssl.c in PHP||7.5||2013/12/18|
|20||JVNDB-2013-001460||Distinguishing and plaintext-recovering attack vulnerability in TLS protocol and DTLS protocol||2.6||2013/2/13|
|1||JVNDB-2013-004410||Arbitrary Commands Execution Vulnerability in JP1/Base||8.3||2013/10/3|
|2||JVNDB-2013-005262||xBuffer Overflow Vulnerability in the log function of Interstage HTTP Server||10.0||2013/11/27|
|3||JVNDB-2013-004409||Arbitrary Commands Execution Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2||8.3||2013/10/3|
|4||JVNDB-2013-004319||Multiple vulnerabilities in Java bundled with Hitachi JP1/Cm2/Network Node Manager||9.7||2013/9/26|
|5||JVNDB-2013-004318||Multiple vulnerabilities in Hitachi JP1/Cm2/Network Node Manager i||9.7||2013/9/26|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2011 and before||Published in 2012||Published in 2013|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4)Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen
(*5) A service offered by Google to distribute and sell Android applications. Applications are categorized into the following types.
(*6) Common Weakness Enumeration.
http://www.ipa.go.jp/security/vuln/CWE.html (in Japanese)
(*7) Security Alert for Industrial Control System Vulnerability.
(*9) Hands-on vulnerability learning and experiencing tool “AppGoat”
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)