Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 1th Quarter (Jan. - Mar.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 1th Quarter (Jan. - Mar.)]

May. 15, 2014
IT Security Center

1. 2014 1st Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2014 1Q

~Vulnerability information stored in JVN iPedia is now over 45,000~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2014 (January 1 to March 31, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 45,000 (See Table 1-1, Figure 1-1)(*4).

As for the English version, the total of 1,022 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 1st Quarter of 2014
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 3 cases 156 cases
JVN 264 cases 3,135 cases
NVD 1,523 cases 41,870 cases
Total 1,790 cases 45,161 cases
English Version Domestic Product Developers 3 cases 156 cases
JVN 32 cases 866 cases
Total 35 cases 1,022 cases

1-2. Hot Topic : Apr.8 End-of-Support Products account for 28 Percent of All Microsoft Vulnerabilities Registered to JVN iPedia during 2014 1Q

~85 Percent of which are critical vulnerabilities. Users are strongly encouraged to update to a newer OS~

On April 8, 2014, support for Microsoft Windows XP, Office 2003 and Internet Explorer (IE) 6 has officially ended. Since vulnerability in these three end-of-support products will be no longer fixed even if a new one is found, the computers using them will always be exposed to security risks.

Figure 1-2-1 shows the number of the vulnerabilities in Microsoft products registered to JVN iPedia during the 1st quarter of 2014 - the last quarter these three end-of-support products werel under vendor support. Among the total of 72 vulnerabilities, 20 are of these three end-of-support products, which accounts for 28 percent. To be more specific, IE accounts for 17 percent, Windows XP for 7 percent and Office 2003 for 4 percent.

Some of the IE vulnerabilities allow an attacker to redirect a user to a malicious web page and infect the user’s PC with malware to steal data and/or remote control it. In fact, attacks targeting these vulnerabilities had already been observed at the time of the release of an update(*5).

Figure 1-2-2 shows the CVSS(*6)severity of the 20 vulnerabilities in the aforementioned end-of-support products reported in 1Q, and Figure 1-2-3 shows that of the vulnerabilities in all software products.85 percent of the vulnerabilities in three end-of-life products are the severity level III. Compared to all software products, the rate is quite higher.The result seems to suggest that to improve product security, Microsoft enforces strict vulnerability inspection by its own standards and methods giving priority to find critical vulnerabilities.

Figure 1-2-4 shows the CWE(*7)types of the three end-of-support products presented in Figure 1-2-1. As you can see, CWE-119 (buffer errors) is outstandingly high (84 percent). If this vulnerability is exploited, an attacker could execute malicious programs on the target system and take over its control.

Even to the last minute, critical vulnerabilities in those three end-of-support products have kept coming up. Once support ends, since the vendor no longer provides vulnerability information, users cannot resolve or mitigate security risks properly and the risk of malware infection and security breach become higher. Thus, users should stop using end-of-support products and migrate to a successor Windows OS or alternative OS that does have vendor support.

2. Categorization of JVN iPedia Registered Data

2-1. Type of Vulnerabilities Registered

Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 1st quarter of 2014, sorted by their vulnerability type using CWE.

The type of the vulnerability that has been reported most during this quarter is CWE-79 (Cross-Site Scripting) with 262 cases, followed by CWE-119 (Buffer Errors) with 191 cases, CWE-264 (Permissions, Privileges and Access Controls) with 187 cases and CWE-20 (Improper Input Validation) with 152 cases.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Course”(*8) to promote secure programming and “AppGoat”(*9) to help learn and understand vulnerability.

2-2. Severity of Vulnerabilities Registered

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of March 31, 2014, 43 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 50 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible upon their release.

2-3. Type of Products Reported for Having Vulnerability

Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.

Since about 2008, the vulnerabilities in Industrial Control System (ICS) used in critical infrastructures have started to be added. During this quarter, 43 ICS vulnerabilities were registered, making the total 480.

2-4. Product Registered

Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 1st quarter of 2014. The top 3 are IE, Google Chrome and Mozilla Firefox, suggesting browsers are frequently updated. A number of vulnerabilities are released daily, thus sometimes vulnerabilities in the products that a user is using are fixed before the user knows.

The products with a number of vulnerability records are likely updated a lot in a short time, and the user may miss one or two of them. Using the list below as a clue, the user should be especially diligent about those often-updated products and make sure not to miss important vulnerability information and patches.

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered
#CategoryProduct Name (Vendor)# of Vulnerability Registered
1BrowserInternet Explorer (Microsoft)53
2BrowserGoogle Chrome (Google)45
3BrowserMozilla Firefox (Mozilla Foundation)36
3Development EnvironmentJDK, JRE (Oracle)36
3OtherownCloud (ownCloud)36
6OSLinux Kernel (
7OtherMozilla SeaMonkey (Mozilla Foundation)28
8OSApple iOS (Apple)27
8MiddlewareMySQL (Oracle)27
10MiddlewareCosminexus (Hitachi)26
10OSRed Hat Enterprise Linux (Red Hat)26
12Network SoftwareCisco Unified Communications Manager(Cisco Systems)21
12MailMozilla Thunderbird (Mozilla Foundation)21
14Media PlayerApple TV (Apple)19
15OSUbuntu (Ubuntu)16
16MessengerPidgin (Pidgin)14
17eLearning SystemMoodle (Moodle)13
17CMSPlone (Plone Foundation)13
19OtherIBM Algo One (IBM)12
19OSopenSUSE (Novell)12

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information on the JVN iPedia during the 1st quarter of 2014 (January – March). No. 1 is a NTP vulnerability exploited in DDoS attacks. Also, the vulnerabilities in server software(*10) used to build websites, such as Apache Commons FileUpload (No.2) and Apache HTTP Server (No.6, 7), were accessed a lot(*11).

Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers. The severity of top 3 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause a service outage or information leak with high probability if attacked have attracted attention.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2014 – Mar. 2014]
1JVNDB-2013-005768Denial-of-service (DoS) vulnerability in the monlist feature in ntp_request.c in ntpd in NTP5.02014/1/7
2JVNDB-2014-000017Apache Commons FileUpload vulnerable to denial-of-service (DoS)5.02014/2/10
3JVNDB-2013-000111Android OS vulnerable to arbitrary Java method execution6.82013/12/17
4JVNDB-2014-001409Internet Explorer use-after-free vulnerability9.32014/2/17
5JVNDB-2014-001243Apple iTunes vulnerable to content spoofing5.82014/1/27
6JVNDB-2012-001258HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server4.32012/2/1
7JVNDB-2013-002948Arbitrary command execution vulnerability in mod_rewite module in Apache HTTP Server5.12013/6/12
8JVNDB-2014-000006EC-CUBE vulnerable to information disclosure5.02014/1/22
9JVNDB-2014-000011Sanshiro Series vulnerable to arbitrary code execution9.32014/1/28
10JVNDB-2012-000075Sleipnir Mobile for Android vulnerable to arbitrary Java method execution5.82012/8/8
11JVNDB-2011-002305SSL and TLS allow chosen plaintext attack in CBC modes4.32011/10/4
12JVNDB-2014-001301Buffer overflow vulnerability in Oracle MySQL and client/ in MariaDB7.52014/2/4
13JVNDB-2013-000119Juniper ScreenOS vulnerable to denial-of-service (DoS)7.82013/12/13
14JVNDB-2014-001305ZTE ZXV10 W300 hard-corded credentials vulnerability9.32014/2/5
15JVNDB-2013-000123VMware ESX and ESXi may allow access to arbitrary files2.12013/12/24
16JVNDB-2013-005585Arbitrary code execution vulnerability in the asn1_time_to_time_t function in ext/openssl/openssl.c in PHP7.52013/12/18
17JVNDB-2013-000016Kingsoft Writer vulnerable to buffer overflow6.82013/3/1
18JVNDB-2013-005745Vulnerabilities in DTLS Retransmission Implementation in OpenSSL5.82014/1/6
19JVNDB-2014-000027sp mode mail issue when accessing attachments in incoming mail2.62014/3/18
20JVNDB-2014-000029sp mode mail vulnerability where Java methods may be executed6.82014/3/18
Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information from Domestic Developers [Jan. 2014 - Mar. 2014]
1JVNDB-2014-001203A Problem of CPU Consumption in Host Data Collector bundled with Hitachi Device Manager Software7.82014/1/21
2JVNDB-2014-001594JP1/File Transmission Server / FTP vulnerable to access control violation8.52014/3/11
3JVNDB-2013-005262xBuffer Overflow Vulnerability in the log function of Interstage HTTP Server10.02013/11/27
4JVNDB-2013-005669Xml eXternal Entity Vulnerability in Hitachi Cosminexus2.62013/12/25
5JVNDB-2014-001593JP1/Integrated Management - Service Support vulnerable to cross-site scripting4.32014/3/11

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score
= 0.0~3.9
Severity Level = I (Low)
CVSS Base Score
= 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score
= 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2012 and before Published in 2013 Published in 2014


(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database. A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) A sharp rise in the number in 2012 is due to a reason that part of the vulnerabilities released on NVD in the past, but no on JVN iPedia, have been added to JVN iPedia that year

(*5) Security Alert: Microsoft Security Bulletin (February 2014) Japanese)
Security Alert: Microsoft Security Bulletin (March 2014) Japanese)

(*6)Common Vulnerability Scoring System (CVSS) (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen

(*7) Common Weakness Enumeration. (in Japanese)

(*8) (in Japanese)

(*9) Hands-on vulnerability learning and experiencing tool “AppGoat” (in Japanese)

(*10) Software used to implement functions to provide web services

(*11) Besides those mentioned in the text, No. 8, 11, 12, 15, 18 are also categorized into server software



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)