February 24, 2017
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 64,618 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2016 (October 1 to December 31, 2016) is shown in the table below. As of the end of December 2016, the total number of vulnerabilities stored in JVN iPedia is 64,618 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,588 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||1 cases||179 cases|
|JVN||117 cases||6,893 cases|
|NVD||1,453 cases||57,546 cases|
|Total||1,571 cases||64,618 cases|
|English Version||Domestic Product Developers||1 cases||179 cases|
|JVN||71 cases||1,409 cases|
|Total||72 cases||1,588 cases|
~ 95.7% of Adobe Flash Player and 83.3% of Adobe Reader Vulnerabilities were "Level III (High)" ~
In 2016, as in previous years, lots of critical vulnerabilities of popular software – those assessed as highly severe or exploited in cyberattacks - were disclosed. During the 4th quarter of 2016 alone, in October, highly severe vulnerabilities of Adobe Reader and Oracle JRE (such as CVE-2016-1089 and CVE-2016-5556) were published. If exploited, those vulnerabilities may allow an attacker to hijack the affected computer. In December, a vulnerability of Adobe Flash Player that had been exploited in zero-day attacks (CVE-2016-7892) was published.
When such critical vulnerabilities are disclosed, IPA issues security alerts. IPA released 51 security alerts in total in 2016, of which 15 were for Adobe Flash Player, 5 were for Adobe Reader and 5 were for Oracle JRE, making up about half of the total. Let’s take a look at the registration status of these three software often addressed in security alerts .
Figure 1-2-1, 1-2-2 and 1-2-3 show the number and severity (CVSSv2) of the vulnerabilities in Adobe Flash Player, Adobe Reader and Oracle JRE reported in 2016, respectively. As for Adobe Flash Player, Level III (High) vulnerabilities account for 95.7 percent - almost 100 percent – and even with Adobe Reader, it is over 80 percent. Figure 1-2-4 shows the yearly change in the number and severity of the vulnerabilities in Adobe Readers reported from 2012 to 2016.
The vulnerabilities reported in 2016 is notably large in number and about 1.7 times more than that in the previous year. The number of vulnerabilities assessed as level III (High) has been increasing in recent years and was 83 percent in 2016.
To keep using software with known vulnerabilities without applying security patches or updating to a fixed version will increase risk of suffering security breach through attacks that exploit unresolved vulnerabilities. Users of Adobe Flash Player, Adobe Reader and Oracle JRE should regularly check if updates are available, and if they are, update the software immediately. To facilitate and ensure timely update, IPA offers a cyber security alert service "icat" (*4) to system administrators. The service pushes released security alerts in real time.
Also, IPA offers a tool called "MyJVN Version Checker" (*5) to general IT users who use PC at home. By using the tool, the users can check if the applications installed on their PC are up to date. IPA encourages the use of MyJVN Version Checker as a routine vulnerability management task.
~ 508 Android vulnerabilities are disclosed in 2016 - 4.5 times more than that in 2015 ~
In October 2016, a Linux kernel vulnerability dubbed "Dirty Cow" (CVE-2016-5195) was disclosed. Since Android OS (hereafter referred to as "Android") uses Linux, all Android versions including the latest version at that time (Android 7.0 Nougat) might have been affected by the vulnerability, and moreover, loads of exploit code for the Dirty Cow were available at the time of the disclosure. The year 2016 saw lots of Android vulnerability disclosures.
Figure 1-3-1 shows the yearly change in the number and severity (CVSSv2) of the Android vulnerabilities reported from 2012 to 2016. Figure 1-3-2 shows those in 2016 alone.
From Figure 1-3-1, you can see the number of Android vulnerabilities reported in 2016 is 4.5 times more than that in 2015. 65.9 percent of them are Level III (High) vulnerabilities, which could cause potentially serious damage if exploited.
Users should be aware that vulnerabilities exist in things we are so casually using as well, such as smartphones and tablets, and need to update promptly when security updates are released.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2016, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 4th quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 234 cases, followed by CWE-200 (Information Exposure) with 187, CWE-264 (Permissions, Privileges and Access Controls with 160, CWE-79 (Cross-Site Scripting) with 149, and CWE-20 (Improper Input Validation) with 109. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected server/PC, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*6) and "Secure Programing Guide" (*7) for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.
As for those registered in 2016 (January 1 to December 31), 38.3 percent are level III ("High", CVSS Base Score = 7.0-10.0), 51.8 percent are level ll ("Medium", CVSS Base Score = 4.0-6.9), and 9.9 percent are level I ("Low", CVSS Base Score = 0.0-3.9). This means more than 90.1 percent of the vulnerabilities reported in 2016 are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*8) severity score since December 1, 2015.
Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 72.4 percent of the 2016 total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/4Q, the total of 945 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2016. Ranked 1st is Android with 129 vulnerabilities. Other than Android, many Microsoft products, such as Windows 10, are also ranked in (in total 418 vulnerabilities were registered this quarter).
Besides operating systems and browsers that are often ranked in, JVN iPedia stores vulnerabilities about a variety of software used in business and at home. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*9).
|Rank||Category||Product Name (Vendor)|| Number of|
|2||PDF Viewer||Adobe Reader (Adobe Systems)||75|
|2||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||75|
|2||PDF Viewer/Editor||Adobe Acrobat DC (Adobe Systems)||75|
|2||PDF Viewer||Adobe Acrobat Reader DC (Adobe Systems)||75|
|6||OS||Microsoft Windows 10 (Microsoft)||60|
|7||OS||Microsoft Windows 8.1 (Microsoft)||51|
|8||OS||Microsoft Windows Server 2012 (Microsoft)||49|
|9||Script Language||phpMyAdmin (The phpMyAdmin Project)||48|
|10||OS||Microsoft Windows 7 (Microsoft)||46|
|11||OS||Microsoft Windows RT 8.1 (Microsoft)||44|
|11||OS||Microsoft Windows Server 2008 (Microsoft)||44|
|11||OS||Microsoft Windows Vista (Microsoft)||44|
|14||Browser||Microsoft Windows Edge (Microsoft)||41|
|15||Media Player||Adobe Flash Player (Adobe Systems)||40|
|16||OS||Microsoft Windows Server 2016 (Microsoft)||39|
|17||OS||Linux Kernel (kerner.org)||38|
|18||Emulator||QEMU (Fabrice Bellard)||36|
|19||Browser||W3m (w3m project)||31|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2016 (October – December).
Ranked 1st is a vulnerability in Flexera InstallShield used to create installers. Ranked 2nd was Linux Dirty Cow vulnerability. Likely due to being picked up by news outlets, SetucoCMS vulnerabilities ranked 7th, 9th, 10th, 11th, 12th and 15th. SetucoCMS is end of support software, so users need to quit using it to avoid the harm that may result from the vulnerabilities.
|1||JVNDB-2016-001684||Flexera InstallShield Windows Setup Launcher Executable Issues (Japanese)||7.2||2016/3/14||6,176|
|2||JVNDB-2016-005596||Linux kernel race condition in mm/gup.c by leveraging incorrect handling of a copy-on-write (COW) feature (Japanese)||7.2||2016/10/25||5,723|
|3||JVNDB-2016-000211||Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries||6.8||2016/10/26||4,829|
|4||JVNDB-2016-000207||The installer of e-Tax Software may insecurely load Dynamic Link Libraries||6.8||2016/10/19||4,713|
|5||JVNDB-2016-000202||Usermin cross-site scripting vulnerabilities||2.6||2016/10/7||4,443|
|6||JVNDB-2016-004511||DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (Japanese)||5.0||2016/9/2||4,386|
|7||JVNDB-2016-000196||SetucoCMS vulnerable to cross-site request forgery||4.0||2016/10/7||4,236|
|8||JVNDB-2016-000195||Cryptography API: Next Generation (CNG) vulnerable to denial-of-service (DoS)||4.3||2016/10/7||4,235|
|9||JVNDB-2016-000200||SetucoCMS vulnerable to code injection||6.5||2016/10/7||4,232|
|10||JVNDB-2016-000201||SetucoCMS vulnerable to session management||4.0||2016/10/7||4,180|
|11||JVNDB-2016-000197||SetucoCMS vulnerable to cross-site scripting||4.3||2016/10/7||4,174|
|12||JVNDB-2016-000198||SetucoCMS vulnerable to SQL injection||6.5||2016/10/7||4,076|
|13||JVNDB-2016-000215||Access restriction bypass vulnerability in WFS-SR01||7.5||2016/11/2||4,065|
|14||JVNDB-2016-000214||Command injection vulnerability in WFS-SR01||7.5||2016/11/2||4,042|
|15||JVNDB-2016-000199||SetucoCMS vulnerable to denial-of-service (DoS)||5.0||2016/10/7||3,994|
|16||JVNDB-2016-000212||The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries||6.8||2016/11/1||3,965|
|17||JVNDB-2016-000192||Cybozu Office vulnerable to denial-of-service (DoS)||6.8||2016/10/3||3,887|
|18||JVNDB-2016-000193||Cybozu Office vulnerable to Reflected File Download (RFD)||3.5||2016/10/3||3,677|
|19||JVNDB-2016-000210||SQL injection vulnerability in WordPress plugin WP-OliveCart||6.5||2016/10/20||3,649|
|20||JVNDB-2016-000168||Toshiba FlashAir does not require authentication in "Internet pass-thru Mode"||5.4||2016/9/27||3,550|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.
|1||JVNDB-2016-005655||Vulnerabilities in JP1/IT Desktop Management 2 - Manager and JP1/NETM/DM||10.0||2016/11/1||3,434|
|2||JVNDB-2016-004496||Information Disclosure Vulnerability in Hitachi Automation Director and JP1/Automatic Operation||3.5||2016/9/2||1,135|
|3||JVNDB-2011-001632||Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol||4.3||2011/5/26||241|
|4||JVNDB-2007-001022||Apache UTF-7 Encoding Cross-Site Scripting Vulnerability||4.3||2007/12/25||221|
|5||JVNDB-2011-001633||Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory||5.1||2011/5/26||198|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2014 and before||Published in 2015||Published in 2016|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) icat: As of December 2016, used by about 1,100 websites including companies, government agencies and educational institutions.
(*5) MyJVN Version Checker
(*6) How to Secure Your Websites
(*7) Secure Programing Guide
(*8) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced.
(*9) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)