Sep. 3, 2014
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 46,000~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2014 (April 1 to June 30, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 46,000 (See Table 1-1, Figure 1-1).
As for the English version, the total of 1,053 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||158 cases|
|JVN||145 cases||3,280 cases|
|NVD||1,552 cases||43,422 cases|
|Total||1,699 cases||46,860 cases|
|English Version||Domestic Product Developers||2 cases||158 cases|
|JVN||29 cases||895 cases|
|Total||31 cases||1,053 cases|
~Severity of 78% of OpenSSL, Adobe Flash Player, Internet Explorer and Apache Struts vulnerabilities is level III - the highest severity~
During the 2nd quarter, attacks exploiting the vulnerabilities in OpenSSL, Adobe Flash Player, Internet Explorer and Apache Struts were observed (hereafter referred to as the “actively-exploited softwares”) and IPA has issued a security alert(*4). Moreover, attacks exploiting the zero-day vulnerabilities in Adobe Flash Player and Internet Explorer (zero-day attacks) were observed abroad(*5), and in the case of OpenSSL, attacks exploiting its vulnerabilities were also confirmed in Japan and caused information Exposure(*6).
Figure 1-2-1 shows the number of vulnerability countermeasure information about the aforementioned actively-exploited softwares registered to JVN iPedia in the last 5 years. The number for the first half of 2014 alone adds up to 177, which accounts for 68 percent of the total of 2013 (258).
Figure 1-2-2 shows the CVSS(*7) severity ratio of the vulnerabilities in the actively-exploited softwares presented in Figure 1-2-1. Likely, Figure 1-2-3 shows that of the vulnerabilities in all softwares registered to JVN iPedia. As shown in Figure 1.2.2, 78 percent of the vulnerabilities in the actively-exploited softwares are rated level III. Compared to the level lll percentage among all softwares (43 percent), it is way higher.
Figure 1-2-4 shows the CWE(*8) types of the vulnerabilities in the actively-exploited softwares. CWE-119 (buffer errors) topped with 43 percent, followed by CWE-399 (resource management) and CWE-94 (code injection) with 11 percent. If the most exploited type of vulnerability, CWE-119 (buffer errors), is exploited, an attacker could inflict serious damage such as executing arbitrary code and taking over the control of the PC.
Internet Explorer and Adobe Flash Player picked up in Figure 1-2-1 are highly popular software. According to an IPA survey on security awareness conducted in October 2013(*9), among those who have never experienced the damage from cyber attacks, only 45.4 percent say they run Windows Update and 35.4 percent say they update Adobe Flash Player. As for those who have experienced the damage from cyber attacks, still, only 55.9 percent say they run Windows Update and 47 percent say they update Adobe Flash Player. In many cases, if all softwares and applications are up to date, users can avoid the damage. Make sure to leverage update notification settings such as the auto update feature, and update as soon as possible. System administrators should record and maintain the version of all softwares and applications they use, and be prepared to update promptly based on the organization’s update rules.
~CMS(*10) vulnerabilities registered in 2014/2Q decreased to only 6, but website hacking are still rampant~
Figure 1-3-1 shows the number of vulnerabilities in the major CMS applications registered to JVN iPedia since 2009(*11). They have been often exploited in web hacking. After its peak in 2009 when web hacking caused a quite stire(*12), the number has been on the decrease. Considering web hacking does have been still rampant yet reported vulnerabilities are decreasing, especially down to 6 during this quarter, it is assumed that old versions of CMS applications with known vulnerabilities are still used and exploited by attackers.
Upon the increase of web hackings that exploit vulnerabilities in old versions of CMS applications, IPA has issued a security alert in June 2014(*13).Keeping using an old version of CMS could allow an attacker to hack your website, use it as a malware distribution channel and make you an “attacker” without your knowing. Website administrators should review the use of a CMS and CMS plug-ins and their version, and keep them up to date. If the support for the CMS in use has already been ended or is about to end, consider the migration to another CMS or closing the website.
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 2nd quarter of 2014, sorted by their vulnerability type using CWE.
The type of the vulnerability that has been reported most during this quarter is CWE-264 (Permissions, Privileges and Access Controls) with 221 cases, followed by CWE-79 (Cross-Site Scripting) with 218 cases, CWE-119 (Buffer Errors) with 214 cases and CWE-20 (Improper Input Validation) with 176 cases. The most reported vulnerability type, CWE-264 (Permissions, Privileges and Access Controls), could lead to theft of classified information if exploited.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Courses”(*14) to promote secure programming and “AppGoat(*15)” to help learn and understand vulnerability.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of June 30, 2014, 43 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 50 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible upon their release.
Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are released most and account for 85 percent of the total.
Since about 2008, the vulnerabilities in Industrial Control Systems (ICS) used in the fields such as critical infrastructure have started to be added. During this quarter, 54 ICS vulnerabilities were registered, making the total 534.
Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 2nd quarter of 2014. Eye-catchingly, the top 3 (Internet Explorer, Google Chrome and Safari) and the 8th (Firefox) are all browsers. A number of vulnerabilities are released daily. The products with many vulnerability records, such as browsers, are updated often in a short time. Users should be diligent about those often-updated products and make sure not to miss vulnerability information and patches.
|#||Category||Product Name (Vendor)||# of Vulnerability Registered|
|1||Browser||Internet Explorer (Microsoft)||86|
|2||Browser||Google Chrome (Google)||52|
|3||Development Environment||JDK, JRE (Oracle)||34|
|6||OS||Linux Kernel (kernel.org)||29|
|7||Other||IBM InfoSphere Systems (IBM)||28|
|8||OS||Cisco IOS (Cisco Systems)||25|
|8||Browser||Mozilla Firefox (Mozilla Foundation)||25|
|13||Middleware||Oracle Fusion Middleware (Oracle)||19|
|14||OS||Red Hat Enterprise Linux (Red Hat)||16|
|16||Media Player||Adobe Flash Player (Adobe Systems)||15|
|16||Media Player||Apple TV (Apple)||15|
|16||OS||Fedora (Fedora Project)||15|
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 2nd quarter of 2014 (April – June). The top is the encrypted communication OpenSSL vulnerability. 7 out of the top 20 are OpenSSL vulnerabilities, and have been heavily accessed by users who need the countermeasure information. Also, vulnerabilities in server software used to build websites, such as Apache Struts (3rd, 5th, 9th and 17th) and Apache HTTP Server (19th), had a lot of accesses. As especially for OpenSSL and Apache Struts, since vulnerabilities found in them are critical ones and these software are widely used, many people must have checked them out.
|1||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|2||JVNDB-2014-002318||Arbitrary code execution vulnerability in Pixman used in Cairo in Mozilla Firefox and SeaMonkey on Windows||10.0||2014/5/1|
|3||JVNDB-2014-000045||Apache Struts vulnerable to ClassLoader manipulation||7.5||2014/4/25|
|4||JVNDB-2014-001920||OpenSSL heartbeat extension information disclosure vulnerability||5.0||2014/4/8|
|5||JVNDB-2014-001603||Apache Struts vulnerable to ClassLoader manipulation via ParametersInterceptor||7.5||2014/3/12|
|6||JVNDB-2014-000017||Apache Commons FileUpload vulnerable to denial-of-service (DoS)||5.0||2014/2/10|
|7||JVNDB-2014-002260||Use-after-free memory corruption vulnerability in Internet Explorer||10.0||2014/4/28|
|8||JVNDB-2014-001409||Use-after-free memory corruption vulnerability in Internet Explorer||9.3||2014/2/17|
|9||JVNDB-2014-002308||Apache Struts vulnerable to ClassLoader manipulation via ActionForm object||7.5||2014/5/1|
|10||JVNDB-2014-000044||intra-mart vulnerable to open redirect||4.3||2014/5/8|
|11||JVNDB-2014-001795||Vulnerability in Montgomery ladder implementation in OpenSSL allows an attacker to steal one time token for eclipse curve digital signature algorithm||4.3||2014/3/26|
|12||JVNDB-2014-002765||the dtls1_reassemble_fragment function in d1_both.c in OpenSSL vulnerable to arbitrary code execution||6.8||2014/6/9|
|13||JVNDB-2010-005667||The ssl3_read_bytes function in s3_pkt.c vulnerable to data insertion across sessions||4.0||2014/4/16|
|14||JVNDB-2014-000041||Redmine vulnerable to open redirect||4.3||2014/4/16|
|15||JVNDB-2014-002137||Juniper ScreenOS vulnerable to denial-of-service (DoS)||7.8||2014/4/18|
|16||JVNDB-2014-000053||JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution||7.6||2014/6/11|
|17||JVNDB-2013-003469||Apache Struts vulnerable to remote command execution||7.5||2013/7/23|
|18||JVNDB-2014-002766||The dtls1_get_message_fragment function in d1_both.c in OpenSSL vulnerable to denial-of-service (DoS)||4.3||2014/6/9|
|19||JVNDB-2014-001717||mod_log_config.c in the mod_log_config module for Apache HTTP Server vulnerable to denial-of-service (DoS)||5.0||2014/3/19|
|20||JVNDB-2014-002767||The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL vulnerable to denial-of-service (DoS)||4.3||2014/6/9|
Table 3-2 lists the top 5 most accessed vulnerability countermeasure information among those reported by domestic product developers. The severity of top 3 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause service outage or information exposure with high probability if attacked have attracted attention.
|1||JVNDB-2014-002800||Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option||9.0||2014/6/11|
|2||JVNDB-2014-002802||Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL2002||9.4||2014/6/11|
|3||JVNDB-2011-001633||Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory||5.1||2011/5/26|
|4||JVNDB-2014-001594||JP1/File Transmission Server / FTP vulnerable to access control violation||8.5||2014/3/11|
|5||JVNDB-2014-001593||JP1/Integrated Management - Service Support vulnerable to cross-site scripting||4.3||2014/3/11|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2012 and before||Published in 2013||Published in 2014|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) [UPDATE] OpenSSL Vulnerability (CVE-2014-0160)
[UPDATE] Adobe Flash Player Vulnerability (APSB14-13)(CVE-2014-0515)
[UPDATE] Internet Explorer Vulnerability (CVE-2014-1776)
[UPDATE] Apache Struts2 Vulnerability (CVE-2014-0094)(CVE-2014-0112)(CVE-2014-0113)
(*6) Breach of Members-Only Web Service: Some Customer Information Compromised
(*7) Common Vulnerability Scoring System (CVSS)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen
(*8) Common Weakness Enumeration.
(*9) Report on Security Awareness of Information Security Threats
(*12) Since web hackings that look like due to stolen FTP accounts become prevalent, IPA issued a security alert
(*13) Consider closing your website down if not administered and maintained
(*14) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html(in Japanese)
(*15) Hands-on vulnerability learning and experiencing tool “AppGoat”
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)