Augst 15, 2016
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now covers more than 60,000 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2016 (April 1 to June 30, 2016) is shown in the table below. As of the end of June 2016, the total number of vulnerabilities stored in JVN iPedia is 61,309 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,458 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||176 cases|
|JVN||206 cases||6,498 cases|
|NVD||1,554 cases||54,635 cases|
|Total||1,762 cases||61,309 cases|
|English Version||Domestic Product Developers||2 cases||176 cases|
|JVN||84 cases||1,282 cases|
|Total||86 cases||1,458 cases|
~ Exploit codes publically available for 2 out of 15 vulnerabilities disclosed during this quarter ~
During April to June, a dozen of vulnerabilities in Apache Struts have been reported. Apache Struts is an open source software framework for developing Java web applications. Because exploit codes that specifically target those vulnerabilities are publically available and remote attackers could execute arbitrary code, IPA issued an emergency security alert in April and June to warn people to stay alert (*4)(*5).
As shown in the Table 1-2, 15 vulnerabilities have been registered to JVN iPedia this quarter, including JVNDB-2016-002626 and JVNDB-2016-000110 that prompted IPA to issue emergency security alerts. Among 15 vulnerabilities, 2 of them affect Apache Struts 1 and the rest affects Apache Struts 2.
|No||ID (CVE)||Title||Affected Systems|
(Apache Struts Only)
|Cross-site scripting vulnerability in the URLDecoder function in JRE used in Apache Struts||2.x before 2.3.28
(JRE before 1.8)
|Apache Struts vulnerable to arbitrary code execution||2.x before 2.3.28||2016/4/18|
|Apache Struts vulnerable to Cross-site scripting||2.x before 2.3.28||2016/4/18|
|Apache Struts 2 vulnerable to remote code execution
(Emergency Security Alert issued)
|2.3.20 through 2.3.28
(except 220.127.116.11 and 18.104.22.168)
|Arbitrary code execution vulnerability in XSLTResult in Apache Struts||2.x before 22.214.171.124
2.3.24.x before 126.96.36.199
2.3.28.x before 188.8.131.52
|Apache Struts 1 vulnerability that allows unintended remote operations against components on memory||1.0 through 1.3.10||2016/6/7|
|Apache Struts 1 vulnerable to input validation bypass||1.1 through 1.3.10||2016/6/7|
|Apache Struts vulnerable to arbitrary code execution||2.3.20.x before 184.108.40.206
2.3.24.x before 220.127.116.11
2.3.28.x before 18.104.22.168
|Apache Struts vulnerable to denial-of-service (DoS)||2.0.0 through 22.214.171.124||2016/6/10|
|Apache Struts vulnerable to remote code execution
(Emergency Security Alert issued)
|2.3.20 through 126.96.36.199||2016/6/20|
|Apache Struts vulnerable to cross-site request forgery||2.3.20 through 188.8.131.52||2016/6/20|
|Apache Struts vulnerable to validation bypass in Getter method||2.3.20 through 184.108.40.206||2016/6/20|
|Apache Struts vulnerable to input validation bypass||2.3.20 through 220.127.116.11||2016/6/20|
|Apache Struts vulnerable to denial-of-service (DoS)||2.3.20 through 18.104.22.168
|Apache Commons FileUpload vulnerable to denial-of-service (DoS)||2.5.1 and earlier||2016/6/30|
The reason why Apache Struts 1 vulnerabilities are less disclosed is because Apache Struts 1 reached end-of-support in April 2013. Although two Apache Struts 1 vulnerabilities (CVE-2016-1181 and CVE-2016-1182) were disclosed as exceptions, basically newly found vulnerabilities in end-of-support software are not disclosed nor fixed. Thus, it is unknown whether vulnerabilities newly found in Apache Struts 2 would also affect Apache Struts 1. If they would, they might allow an attacker to cause a denial of service (DoS) condition or execute arbitrary code on the affected system.
Regardless of its end-of-support status, Apache Struts 1 has still been used in enterprise systems. Apache Struts 1 users and system administrators need to consider migrating to Apache Struts 2 or another framework supported by vendor. Even if using supported products, check vulnerability information and make sure to keep them up to date.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 2nd quarter of 2016, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 2nd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 353 cases, followed by CWE-20 (Improper Input Validation) with 176 cases, CWE-264 (Permissions, Privileges and Access Controls with 170 cases CWE-200 (Information Exposure) with 165, CWE-79 (Cross-Site Scripting) with 96. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected server or PC, causing various undesirable consequences, such as unauthorized access to and/or alteration of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*6) for website developers and operators to create a secure website and "AppGoat" (*7) to help learn and understand vulnerability through hands-on practice and exercise.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of June 2016, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.4 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of about 93 percent of the known vulnerabilities is level II or higher, which is critical enough to cause information exposure or data modification. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 severity score since December 1, 2015.
Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 72.3 percent of the total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/2Q, the total of 882 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 2nd quarter (April to June) of 2016. 13 out of 20 are operating systems, accounting for more than 60 percent. Apart from operating systems, Adobe Systems products, such as Adobe Flash Player and Adobe Reader, stand out.
JVN iPedia stores vulnerability information on a variety of software, including operating systems ranked in the top 20. IPA hopes users and developerss will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*8).
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Google Chrome (Google)||147|
|2||OS||Microsoft Windows 10 (Microsoft)||120|
|2||OS||Microsoft Windows Server 2012 (Microsoft)||120|
|4||OS||Microsoft Windows 8.1 (Microsoft)||118|
|5||OS||Debian GNU/Linux (Debian)||116|
|7||OS||Linux Kernel (kerner.org)||102|
|8||OS||Microsoft Windows RT 8.1 (Microsoft)||99|
|9||PDF Viewer||Adobe Acrobat Reader DC (Adobe Systems)||93|
|9||PDF Viewer||Adobe Reader (Adobe Systems)||93|
|9||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||93|
|9||PDF Viewer/Editor||Adobe Acrobat DC (Adobe Systems)||93|
|9||Media Player||Adobe Flash Player (Adobe Systems)||93|
|14||OS||Apple Mac OS X (Apple)||72|
|15||Script Language||PHP (The PHP Group)||53|
|17||OS||openSUSE (openSUSE project)||45|
|20||OS||Microsoft Windows Server 2008 (Microsoft)||32|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 2nd quarter of 2016 (April – June).
The 1st, 3rd, 4th, and 5th are Apache Struts vulnerabilities. They have gathered a lot of attention probably because it is widely used to develop web applications. Since exploit code of the 5th vulnerability was also made public, IPA has issued an emergency security alert. The 2nd, 12th, 14th, 15th and 19th are vulnerabilities in OpenSSL used for encrypting communications. The 6th is a vulnerability in an image editor ImageMagick. The vulnerability is also known as ImageTragick and has drawn attention.
|1||JVNDB-2016-000096||Apache Struts 1 vulnerability that allows unintended remote operations against components on memory||6.8||2016/6/7|
|2||JVNDB-2016-002475||Arbitrary code execution vulnerability in the ASN.1 implementation in OpenSSL (Japanese)||10.0||2016/5/10|
|3||JVNDB-2016-000097||Apache Struts 1 vulnerable to input validation bypass||5.8||2016/6/7|
|4||JVNDB-2016-002075||Apache Struts vulnerable to remote code execution (Japanese)||10.0||2016/4/18|
|5||JVNDB-2016-000110||Apache Struts vulnerable to remote code execution||6.8||2016/6/20|
|6||JVNDB-2016-002443||ImageMagick improper input validation vulnerability (Japanese)||10.0||2016/5/9|
|7||JVNDB-2016-000054||Electron may insecurely load Node modules||6.8||2016/4/22|
|8||JVNDB-2016-000064||WordPress plugin "Ninja Forms" vulnerable to PHP object injection||6.8||2016/5/13|
|9||JVNDB-2016-000074||Trend Micro enterprise products directory traversal vulnerability||3.3||2016/5/25|
|10||JVNDB-2016-000089||Trend Micro enterprise products HTTP header injection vulnerability||2.9||2016/5/25|
|11||JVNDB-2016-001928||Denial of service (DoS) vulnerability in wddx.c in the WDDX extension in PHP (Japanese)||7.5||2016/4/1|
|12||JVNDB-2016-003304||OpenSSL vulnerable to denial of service (DoS) (Japanese)||7.5||2016/6/22|
|13||JVNDB-2016-000036||Aterm WG300HP vulnerable to cross-site request forgery||2.6||2016/3/30|
|14||JVNDB-2016-002474||Vulnerability in the AES-NI implementation in OpenSSL allows an attacker to obtain sensitive cleartext information (Japanese)||2.6||2016/5/10|
|15||JVNDB-2016-002476||Denial of service (DoS) vulnerability in The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL (Japanese)||7.8||2016/5/10|
|16||JVNDB-2016-000035||Aterm WF800HP vulnerable to cross-site request forgery||4.0||2016/3/30|
|17||JVNDB-2016-000063||FileMaker server issue where PHP source code may be viewable||2.6||2016/5/13|
|18||JVNDB-2016-002184||JMX subcomponent vulnerability in multiple Oracle Java products (Japanese)||10.0||2016/4/25|
|19||JVNDB-2016-002477||Vulnerability in The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL allows an attacker to obtain sensitive information from process stack memory (Japanese)||6.4||2016/5/10|
|20||JVNDB-2016-000048||EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" vulnerable to cross-site scripting||4.3||2016/4/8|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.
|1||JVNDB-2016-002716||Cross-site Scripting Vulnerability in Hitachi Tuning Manager||5.0||2016/5/18|
|2||JVNDB-2016-001559||Information Disclosure Vulnerability in Hitachi Compute Systems Manager||3.5||2016/3/4|
|3||JVNDB-2016-002715||Information Disclosure Vulnerability in Hitachi Command Suite||5.0||2016/5/18|
|4||JVNDB-2016-001472||Remote File Inclusion Vulnerability in Hitachi Command Suite||10.0||2016/2/24|
|5||JVNDB-2015-006527||Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration||3.5||2015/12/28|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2014 and before||Published in 2015||Published in 2016|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Emergency Security Alert for Apache Struts 2
(*5) Emergency Security Alert for Apache Struts Remote Code Execution Vulnerability
(*6) How to Secure Your Websites
(*7) Hands-on vulnerability learning and exercising tool "AppGoat"
(*8) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)