Nov. 27, 2014
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~ Total of 48,427 Vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2014 (July 1 to September 30, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now 48,427 (See Table 1-1, Figure 1-1).
As for the English version, the total of 1,101 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||0 cases||158 cases|
|JVN||349 cases||3,629 cases|
|NVD||1,218 cases||44,640 cases|
|Total||1,567 cases||48,427 cases|
|English Version||Domestic Product Developers||0 cases||158 cases|
|JVN||48 cases||943 cases|
|Total||48 cases||1,101 cases|
~ Improper SSL certificate validation vulnerability accounts for 84% of Android vulnerabilities ~
Figure 1-2-1 shows the number of Android OS and application vulnerabilities registered to JVN iPedia in a last couple of quarters. In this quarter, 144 vulnerabilities were registered and 121 of them were about improper SSL certificate validation (CWE-310(*4) Cryptographic Issues). This is because CERT/CC(*5) carried out a study that checked quite a number of Android applications to see if they would properly validate SSL certificates(*6), and found that they do not. That has resulted in sharp increase in number of Android applications registered. Vulnerability information published in the U.S., like the aforementioned vulnerability(*7), is usually translated into Japanese and published for IT users’ convenience. Also, because the vulnerability is related to 13 known vulnerabilities published on JVN in the past, we have cross-referenced them.
If this issue is exploited, an attacker could eavesdrop or alter the communication even if it is encrypted. As other Android applications are suspected to have the same vulnerability, IPA issued a security alert(*8) for Android application developers on September 19, 2014.
Application developers are required to learn how to write secure applications and if vulnerability is found, they should fix it promptly and provide a patch/update.
IPA offers a free vulnerability learning/checking tool called “AnCoLe(*9)” to Android application developers. By using AnCoLe, one can check if the source code is vulnerable to the improper SSL certificate validation vulnerability (improper implementation of SSL communication).
~ MyJVN API users need to ensure their systems and tools are also ready for arbitrary-length CVE-IDs ~
CVE-ID(*10) is a unique identifier maintained by MITRE(*11) to identify reported vulnerabilities. With the current syntax, CVE + YYYY + NNNN (e.g. CVE-2014-1234), the number part (NNNN) is fixed to four digits and supports a maximum of 9,999 unique CVE-IDs per year. To support more than 10,000 vulnerabilities in a single year, the new syntax will be put in use. With the new syntax, CVE + YYYY + arbitrary digits (e.g. CVE-2014-12345), the number part (arbitrary digits) begins at four digits and expands with arbitrary digits only when the next digit is needed in a single year.
At least one CVE-ID is going to be issued using the new syntax before the end of 2014 and not later than January 13, 2015, according to the MITRE announcement on September 17, 2014. Once issued, IPA’s JVN iPedia and MyJVN(*12) will be providing vulnerability information with the new-syntax-based CVE-IDs as well. MyJVN API users who get JVN iPedia information to use in their systems, tools and websites, must make sure that their systems, tools and websites also continue to work properly when they process the new-syntax-based CVE-IDs.For more details about CVE-ID syntax change, please check out the CVE website.
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter of 2014, sorted by their vulnerability type using CWE.
The type of the vulnerability that has been reported most during this quarter is CWE-79 (Cross-Site Scripting) with 271 cases, followed by CWE-310 (Cryptographic Issues) with 147 cases and CWE-264 (Permissions, Privileges and Access Controls) with 145 cases. The most reported vulnerability type, CWE-264 (Permissions, Privileges and Access Controls), could allow an attacker to put bogus web pages on a legitimate website.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “IPA provides the tools and guidelines, such as “Secure Programming Courses”(*13) to promote secure programming and “AppGoat(*14)” to help learn and understand vulnerability through practice and exercise(*15).
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of September 2014, 42 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 51 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.
Since 2008, the vulnerabilities in Industrial Control Systems (ICS) used in the fields such as critical infrastructure have started to be added. During this quarter, 50 ICS vulnerabilities were registered, making the total 574.
Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 3rd quarter of 2014. As seen below, many browsers ranked in the top 10: Internet Explorer (1), Google Chrome (5) Safari (7) and Mozilla Firefox (8). Quite a number of software products by Hitachi Ltd. were also in top 20.
Besides vulnerability information on browsers and applications that are updated often, JVN iPedia stores the information on a variety of software products. Users should be diligent about those often-updated software products and make sure not to miss vulnerability information and patches.
|#||Category||Product Name (Vendor)||# of Vulnerability Registered|
|1||Browser||Internet Explorer (Microsoft)||108|
|3||Media Player||Apple TV (Apple)||51|
|4||OS||Apple Mac OS X (Apple)||48|
|5||Browser||Google Chrome (Google)||41|
|6||OS||Linux Kernel (kernel.org)||34|
|8||Browser||Mozilla Firefox (Mozilla Foundation)||23|
|8||Development Environment||Adobe Air (Adobe Systems)||23|
|8||Development Environment||Adobe Air SDK (Adobe Systems)||23|
|8||Media Player||Adobe Flash Player (Adobe Systems)||23|
|12||Mailer||Mozilla Thunderbird (Mozilla Foundation)||21|
|13||Development Environment||JDK (Oracle)||20|
|13||Development Environment||JRE (Oracle)||20|
|15||Network Software||Wireshark (Wireshark)||17|
|15||Integrated Development/Operational Environment||Cosminexus Application Server Standard (Hitachi)||17|
|15||Integrated Development/Operational Environment||Cosminexus Client (Hitachi)||17|
|15||Integrated Development/Operational Environment||Cosminexus Studio (Hitachi)||17|
|15||Integrated Development/Operational Environment||Cosminexus Primary Server (Hitachi)||17|
|15||Integrated Development/Operational Environment||Cosminexus Developer (Hitachi)||17|
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 3rd quarter of 2014 (July – September). The bash vulnerabilities ranked 2nd and 4th (aka Shellshock) could affect a variety of services and devices, such as web applications, Linux-based embedded systems, wireless home routers and network attached storage devices, if exploited. In the U.S., attacks exploiting them were observed. Because the effect of such attacks could be broad, IPA has issued an emergency security alert for Shellshock(*16).
|1||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|2||JVNDB-2014-004410||GNU bash arbitrary code execution vulnerability||10.0||2014/9/29|
|3||JVNDB-2014-000045||Apache Struts vulnerable to ClassLoader manipulation||7.5||2014/4/25|
|4||JVNDB-2014-004399||GNU bash vulnerability allows an attacker to write to file||10.0||2014/9/26|
|5||JVNDB-2014-003474||Apache HTTP Server mod_status module vulnerable to denial-of-service (DoS)||6.8||2014/7/22|
|6||JVNDB-2014-000087||Multiple I-O DATA IP Cameras vulnerable to authentication bypass||6.4||2014/7/29|
|7||JVNDB-2014-000017||Apache Commons FileUpload vulnerable to denial-of-service (DoS)||5.0||2014/2/10|
|8||JVNDB-2014-002767||The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL vulnerable to denial-of-service (DoS)||4.3||2014/6/9|
|9||JVNDB-2014-003719||OpenSSL Client vulnerable to null pointer dereference||5.0||2014/8/12|
|10||JVNDB-2014-003817||Buffer overflow vulnerabilities in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL OpenSSL||7.5||2014/8/15|
|11||JVNDB-2014-002766||The dtls1_get_message_fragment function in d1_both.c in OpenSSL vulnerable to denial-of-service (DoS)||4.3||2014/6/9|
|12||JVNDB-2014-003812||The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL vulnerable to information disclosure||4.3||2014/8/15|
|13||JVNDB-2014-000071||Becky! Internet Mail vulnerable to buffer overflow||5.1||2014/7/8|
|14||JVNDB-2014-002765||The dtls1_reassemble_fragment function in d1_both.c in OpenSSL vulnerable to arbitrary code execution||6.8||2014/6/9|
|15||JVNDB-2014-000102||Kindle App for Android fails to verify SSL server certificates||4.0||2014/8/29|
|16||JVNDB-2014-003475||Apache HTTP Server mod_cgid module vulnerable to denial-of-service (DoS)||5.0||2014/7/22|
|17||JVNDB-2014-000072||Seasar S2Struts vulnerable to ClassLoader manipulation||7.5||2014/7/15|
|18||JVNDB-2014-003473||Denial- of-service (DoS) vulnerability in mod_deflate.c in mod_deflate module in Apache HTTP Server||4.3||2014/7/22|
|19||JVNDB-2014-003472||Apache HTTP Server mod_proxy module vulnerable to denial-of-service (DoS)||4.3||2014/7/22|
|20||JVNDB-2014-001920||OpenSSL heartbeat extension information disclosure vulnerability||5.0||2014/4/8|
Table 3-2 lists the top 5 most accessed vulnerability countermeasure information among those reported by domestic product developers. The severity of the vulnerabilities ranked 1st and 2nd is level lll (High), meaning they could cause serious damage, such as information theft, data modification and denial of service.
|1||JVNDB-2014-002800||Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option||9.0||2014/6/11|
|2||JVNDB-2014-002802||Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL2002||9.4||2014/6/11|
|3||JVNDB-2007-001022||Apache UTF-7 Encoding Cross-Site Scripting Vulnerability||4.3||2007/12/25|
|4||JVNDB-2011-001633||Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory||5.1||2011/5/26|
|5||JVNDB-2008-001313||JP1/Cm2/Network Node Manager Denial of Service Vulnerability||5.0||2008/5/9|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2012 and before||Published in 2013||Published in 2014|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Common Weakness Enumeration
(*6) Android application SSL spreadsheet (617 entries as of September 18, 2014)
(*7) JVNVU#90369988: Multiple android applications fail to properly validate SSL certificates
It is based on the advisory issued by CERT/CC
(*8) Press Release: [Security Alert] To android application developers: implement SSL server certificate validation if communicating data over HTTPS
(*9) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
(*10) Common Vulnerabilities and Exposures
(*11) MITRE Corporation: A non-profit national technology resource that provides information technology support and research and development, among other things, to the U.S. government.
(*12) Vulnerability Countermeasure Information Sharing Framework “MyJVN”
(*13) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html(in Japanese)
(*14) Press Release: Web application version of hands-on vulnerability learning and experiencing tool “AppGoat” features enhanced
(*15) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*16) http://www.ipa.go.jp/security/ciadr/vul/20140926-bash.html(in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)