Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 2nd Quarter (Apr. – Jun.)]

PRINT PAGE

IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 2nd Quarter (Apr. – Jun.)]

Sep. 3, 2014
IT Security Center

1. 2014 2nd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2014 2Q

~Vulnerability information stored in JVN iPedia is now over 46,000~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2014 (April 1 to June 30, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 46,000 (See Table 1-1, Figure 1-1).

As for the English version, the total of 1,053 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 2nd Quarter of 2014
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 2 cases 158 cases
JVN 145 cases 3,280 cases
NVD 1,552 cases 43,422 cases
Total 1,699 cases 46,860 cases
English Version Domestic Product Developers 2 cases 158 cases
JVN 29 cases 895 cases
Total 31 cases 1,053 cases

1-2. Hot Topic #1: High-Severity Vulnerabilities Caused Information Exposure

~Severity of 78% of OpenSSL, Adobe Flash Player, Internet Explorer and Apache Struts vulnerabilities is level III - the highest severity~

During the 2nd quarter, attacks exploiting the vulnerabilities in OpenSSL, Adobe Flash Player, Internet Explorer and Apache Struts were observed (hereafter referred to as the “actively-exploited softwares”) and IPA has issued a security alert(*4). Moreover, attacks exploiting the zero-day vulnerabilities in Adobe Flash Player and Internet Explorer (zero-day attacks) were observed abroad(*5), and in the case of OpenSSL, attacks exploiting its vulnerabilities were also confirmed in Japan and caused information Exposure(*6).

Figure 1-2-1 shows the number of vulnerability countermeasure information about the aforementioned actively-exploited softwares registered to JVN iPedia in the last 5 years. The number for the first half of 2014 alone adds up to 177, which accounts for 68 percent of the total of 2013 (258).

Figure 1-2-2 shows the CVSS(*7) severity ratio of the vulnerabilities in the actively-exploited softwares presented in Figure 1-2-1. Likely, Figure 1-2-3 shows that of the vulnerabilities in all softwares registered to JVN iPedia. As shown in Figure 1.2.2, 78 percent of the vulnerabilities in the actively-exploited softwares are rated level III. Compared to the level lll percentage among all softwares (43 percent), it is way higher.

Figure 1-2-4 shows the CWE(*8) types of the vulnerabilities in the actively-exploited softwares. CWE-119 (buffer errors) topped with 43 percent, followed by CWE-399 (resource management) and CWE-94 (code injection) with 11 percent. If the most exploited type of vulnerability, CWE-119 (buffer errors), is exploited, an attacker could inflict serious damage such as executing arbitrary code and taking over the control of the PC.

Internet Explorer and Adobe Flash Player picked up in Figure 1-2-1 are highly popular software. According to an IPA survey on security awareness conducted in October 2013(*9), among those who have never experienced the damage from cyber attacks, only 45.4 percent say they run Windows Update and 35.4 percent say they update Adobe Flash Player. As for those who have experienced the damage from cyber attacks, still, only 55.9 percent say they run Windows Update and 47 percent say they update Adobe Flash Player. In many cases, if all softwares and applications are up to date, users can avoid the damage. Make sure to leverage update notification settings such as the auto update feature, and update as soon as possible. System administrators should record and maintain the version of all softwares and applications they use, and be prepared to update promptly based on the organization’s update rules.

1-3. Hot Topic #2: Software Often Exploited in Website Hacking

~CMS(*10) vulnerabilities registered in 2014/2Q decreased to only 6, but website hacking are still rampant~

Figure 1-3-1 shows the number of vulnerabilities in the major CMS applications registered to JVN iPedia since 2009(*11). They have been often exploited in web hacking. After its peak in 2009 when web hacking caused a quite stire(*12), the number has been on the decrease. Considering web hacking does have been still rampant yet reported vulnerabilities are decreasing, especially down to 6 during this quarter, it is assumed that old versions of CMS applications with known vulnerabilities are still used and exploited by attackers.

Upon the increase of web hackings that exploit vulnerabilities in old versions of CMS applications, IPA has issued a security alert in June 2014(*13).

Keeping using an old version of CMS could allow an attacker to hack your website, use it as a malware distribution channel and make you an “attacker” without your knowing. Website administrators should review the use of a CMS and CMS plug-ins and their version, and keep them up to date. If the support for the CMS in use has already been ended or is about to end, consider the migration to another CMS or closing the website.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 2nd quarter of 2014, sorted by their vulnerability type using CWE.

The type of the vulnerability that has been reported most during this quarter is CWE-264 (Permissions, Privileges and Access Controls) with 221 cases, followed by CWE-79 (Cross-Site Scripting) with 218 cases, CWE-119 (Buffer Errors) with 214 cases and CWE-20 (Improper Input Validation) with 176 cases. The most reported vulnerability type, CWE-264 (Permissions, Privileges and Access Controls), could lead to theft of classified information if exploited.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Courses(*14) to promote secure programming and “AppGoat(*15)” to help learn and understand vulnerability.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of June 30, 2014, 43 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 50 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible upon their release.

2-3. Type of Products Reported for Having Vulnerability

Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are released most and account for 85 percent of the total.

Since about 2008, the vulnerabilities in Industrial Control Systems (ICS) used in the fields such as critical infrastructure have started to be added. During this quarter, 54 ICS vulnerabilities were registered, making the total 534.

2-4. Product Reported

Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 2nd quarter of 2014. Eye-catchingly, the top 3 (Internet Explorer, Google Chrome and Safari) and the 8th (Firefox) are all browsers. A number of vulnerabilities are released daily. The products with many vulnerability records, such as browsers, are updated often in a short time. Users should be diligent about those often-updated products and make sure not to miss vulnerability information and patches.

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered
#CategoryProduct Name (Vendor)# of Vulnerability Registered
1BrowserInternet Explorer (Microsoft)86
2BrowserGoogle Chrome (Google)52
3BrowserSafari (Apple)34
3Development EnvironmentJDK, JRE (Oracle)34
5MiddlewareCosminexux (Hitachi)30
6OSLinux Kernel (kernel.org)29
7OtherIBM InfoSphere Systems (IBM)28
8OSCisco IOS (Cisco Systems)25
8BrowserMozilla Firefox (Mozilla Foundation)25
10OSUbuntu (Ubuntu)23
11MiddlewareMySQL (Oracle)22
12OtherownCloud (ownCloud)20
13MiddlewareOracle Fusion Middleware (Oracle)19
14CMSCommonSpot (PaperThin)16
14OSRed Hat Enterprise Linux (Red Hat)16
16Media PlayerAdobe Flash Player (Adobe Systems)15
16Media PlayerApple TV (Apple)15
16OSFedora (Fedora Project)15
16OSiOS (Apple)15
16CMSMediaWiki (MediaWiki)15

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 2nd quarter of 2014 (April – June). The top is the encrypted communication OpenSSL vulnerability. 7 out of the top 20 are OpenSSL vulnerabilities, and have been heavily accessed by users who need the countermeasure information. Also, vulnerabilities in server software used to build websites, such as Apache Struts (3rd, 5th, 9th and 17th) and Apache HTTP Server (19th), had a lot of accesses. As especially for OpenSSL and Apache Struts, since vulnerabilities found in them are critical ones and these software are widely used, many people must have checked them out.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2014 – Mar. 2014]
#IDTitleCVSS
Score
Date
Public
1JVNDB-2014-000048OpenSSL improper handling of Change Cipher Spec message4.02014/6/6
2JVNDB-2014-002318Arbitrary code execution vulnerability in Pixman used in Cairo in Mozilla Firefox and SeaMonkey on Windows10.02014/5/1
3JVNDB-2014-000045Apache Struts vulnerable to ClassLoader manipulation7.52014/4/25
4JVNDB-2014-001920OpenSSL heartbeat extension information disclosure vulnerability5.02014/4/8
5JVNDB-2014-001603Apache Struts vulnerable to ClassLoader manipulation via ParametersInterceptor7.52014/3/12
6JVNDB-2014-000017Apache Commons FileUpload vulnerable to denial-of-service (DoS)5.02014/2/10
7JVNDB-2014-002260Use-after-free memory corruption vulnerability in Internet Explorer10.02014/4/28
8JVNDB-2014-001409Use-after-free memory corruption vulnerability in Internet Explorer9.32014/2/17
9JVNDB-2014-002308Apache Struts vulnerable to ClassLoader manipulation via ActionForm object7.52014/5/1
10JVNDB-2014-000044intra-mart vulnerable to open redirect4.32014/5/8
11JVNDB-2014-001795Vulnerability in Montgomery ladder implementation in OpenSSL allows an attacker to steal one time token for eclipse curve digital signature algorithm4.32014/3/26
12JVNDB-2014-002765the dtls1_reassemble_fragment function in d1_both.c in OpenSSL vulnerable to arbitrary code execution6.82014/6/9
13JVNDB-2010-005667The ssl3_read_bytes function in s3_pkt.c vulnerable to data insertion across sessions4.02014/4/16
14JVNDB-2014-000041Redmine vulnerable to open redirect4.32014/4/16
15JVNDB-2014-002137Juniper ScreenOS vulnerable to denial-of-service (DoS)7.82014/4/18
16JVNDB-2014-000053JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution7.62014/6/11
17JVNDB-2013-003469Apache Struts vulnerable to remote command execution7.52013/7/23
18JVNDB-2014-002766The dtls1_get_message_fragment function in d1_both.c in OpenSSL vulnerable to denial-of-service (DoS)4.32014/6/9
19JVNDB-2014-001717mod_log_config.c in the mod_log_config module for Apache HTTP Server vulnerable to denial-of-service (DoS)5.02014/3/19
20JVNDB-2014-002767The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL vulnerable to denial-of-service (DoS)4.32014/6/9

Table 3-2 lists the top 5 most accessed vulnerability countermeasure information among those reported by domestic product developers. The severity of top 3 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause service outage or information exposure with high probability if attacked have attracted attention.

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers [Apr. 2014 - Jun. 2014]
#IDTitleCVSS
Score
Date
Public
1JVNDB-2014-002800Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option9.02014/6/11
2JVNDB-2014-002802Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL20029.42014/6/11
3JVNDB-2011-001633Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory5.12011/5/26
4JVNDB-2014-001594JP1/File Transmission Server / FTP vulnerable to access control violation8.52014/3/11
5JVNDB-2014-001593JP1/Integrated Management - Service Support vulnerable to cross-site scripting4.32014/3/11

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score
= 0.0~3.9
Severity Level = I (Low)
CVSS Base Score
= 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score
= 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2012 and before Published in 2013 Published in 2014

Footnotes

(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/

(*2) National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4) [UPDATE] OpenSSL Vulnerability (CVE-2014-0160)
http://www.ipa.go.jp/security/ciadr/vul/20140408-openssl.html(in Japanese)
[UPDATE] Adobe Flash Player Vulnerability (APSB14-13)(CVE-2014-0515)
http://www.ipa.go.jp/security/ciadr/vul/20140430-adobeflashplayer.html(in Japanese)
[UPDATE] Internet Explorer Vulnerability (CVE-2014-1776)
http://www.ipa.go.jp/security/ciadr/vul/20140428-ms.html(in Japanese)
[UPDATE] Apache Struts2 Vulnerability (CVE-2014-0094)(CVE-2014-0112)(CVE-2014-0113)
https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html(in Japanese)

(*5) Attacks that exploit vulnerability that has no fixed yet

(*6) Breach of Members-Only Web Service: Some Customer Information Compromised
http://www.cr.mufg.jp/corporate/info/pdf/2014/140418_01.pdf(in Japanese)

(*7) Common Vulnerability Scoring System (CVSS) http://www.ipa.go.jp/security/vuln/CVSS.html(in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen

(*8) Common Weakness Enumeration.
http://www.ipa.go.jp/security/vuln/CWE.html(in Japanese)

(*9) Report on Security Awareness of Information Security Threats
http://www.ipa.go.jp/files/000035983.pdf(in Japanese)

(*10) Contents Management System: a collective term of softwares that are used to easily create and manage websites

(*11) WordPress plugins are not included in the numbers.

(*12) Since web hackings that look like due to stolen FTP accounts become prevalent, IPA issued a security alert
http://www.ipa.go.jp/security/topics/20091224.html(in Japanese)

(*13) Consider closing your website down if not administered and maintained
http://www.ipa.go.jp/security/ciadr/vul/20140619-oldcms.html(in Japanese)

(*14) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html(in Japanese)

(*15) Hands-on vulnerability learning and experiencing tool “AppGoat”
http://www.ipa.go.jp/security/vuln/appgoat/index.html(in Japanese)

Reference

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)