HOME IT Security Measures for Information Security VulnerabilitiesIPA/ISEC：Vulnerabilities：JVN iPedia Upgraded to New Version

IPA/ISEC：Vulnerabilities：JVN iPedia Upgraded to New Version

Synonym Search and Other Features Added in Reply to User Requests

June 18, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Hiroshi Nishigaki) released the renewed vulnerability countermeasure information database JVN iPedia on Thursday June 18th, 2009.
The upgrade includes the synonym search function, provision of detailed explanation on the vulnerability, and display of content by language.

JVN iPedia ( http://jvndb.jvn.jp/ ) is a domestic vulnerability countermeasure information database for Japan, aggregating vulnerability overview and countermeasure information for software utilized within the country, and has been publishing the information since April 25, 2007.

Currently, the registered vulnerability countermeasure information has reached a cumulative total of 6,390 cases; 74 cases were gathered from domestic product developers, 659 cases collected from JVN^(*1), and 5,657 cases were obtained from NVD^(*2).

In the English version of JVN iPedia( http://jvndb.jvn.jp/en/ ) has reached a cumulative total of 444 cases; 74 cases were gathered from domestic product developers, and 370 cases collected from JVN.

The access count for JVN iPedia has reached approximately 400,000 accesses per month.

In response to user requests, JVN iPedia has expanded its functions. The upgrade includes the synonym search function, provision of detailed explanation on the vulnerability to encourage better comprehension of the vulnerability, search function that allows to look up related JVN information, and display of content by language seeking to strengthen international cooperation.

These upgrades were introduced and made available to the public on Thursday June 18th, 2009.

The synonym search function has made it possible to apply approximately 170 synonym terms, including words such as abbreviations of security terms and product names, to conduct a search.

For example, when using the word “Improper” as the keyword, the search results for the term “Insufficient” are also displayed in the output when the synonym search option is selected at the search page (Figure 1).

This function has made it easier to find specific vulnerability countermeasure information.

Figure １．JVN iPedia Function Additions（Synonym Search）

Other Function Additions
1. Provision of Detailed Explanation on the Vulnerability

JVN iPedia utilizes the CWE^(*3)(Common Weakness Enumeration) to identify the types of vulnerability and includes the CWE information in the reference section of the vulnerability countermeasure information page. In this way, users are able to identify the vulnerability type and search for vulnerability countermeasure information by the CWE types.

In this upgrade, the 19 vulnerability types used by JVN iPedia from the CWE list, published by CWE, have been translated into Japanese. The new function provided displays the information, such as a description of the vulnerability, time of introduction, common consequences, demonstrative example codes, and observed examples (Figure 2).

By referring to this information, users of the software products can gain understanding of the severity of the vulnerability in question and utilize it as a reference when applying vulnerability countermeasures.

Also, software product developers can gain understanding concerning the time of introduction, observed examples and mitigation measures to avoid building in the vulnerability, enabling to examine prevention methods for the occurrence of similar vulnerabilities.

Figure 2. Detailed Explanation on the Vulnerability

2. Related JVN information Search Function

The JVN iPedia search function displays the vulnerability countermeasure information ID “JVNDB-yyyy-nnnnnn”, title, severity level based on the common vulnerability scoring system (CVSS^(*4)), date of publication, and date of the latest update in the search result.

In this update, in the event the JVN vulnerability countermeasure information is available, the ID of the JVN information such as “JVN#”, “JVNVU#”, and “JVNTA” is also displayed in addition to the JVN iPedia vulnerability countermeasure information ID (Figure 3).

In this way, related JVN information may also be easily used as a reference from the JVN iPedia search results.

Figure 3. Related JVN Information Search

3. Content Display by Language

JVN iPedia publishes English versions in addition to the Japanese versions of domestic vulnerability countermeasure information for overseas viewers. Also, the Common Vulnerability and Exposures (CVE^(*5)) has been employed in order to enable cross-reference and association between domestic and foreign vulnerability countermeasure information. The access count to the English version has surpassed approximately 80,000 accesses per month.

In order to accommodate both domestic and foreign users in terms of convenience, a function that displays contents by language has been supplemented. The Japanese or English version is displayed in accordance with the language preference established in the web browser.

In the past, the following link was used to view the Japanese version of the vulnerability countermeasure information ID “JVNDB-2009-000001”:
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000001.html
And the following link was used to view the English version, necessitating to assign a separate URL for each page based on the language:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000001.html

By using the newly added function, when the following link is accessed, as shown in Figure 4, the Japanese version or the English version of the page is now automatically selected and displayed in response to the web browser language preference set by the user.
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000001

In this way, information can be easily obtained in the language preferred by the user through the use of a single URL.

Also, reciprocal links to either the Japanese or English version of the page were added at the top right-hand corner to make the information of both languages more accessible.

Figure 4．Content Display By Language

4. Support for RSS Auto-Discovery

For the easy obtainment of vulnerability countermeasure information, JVN iPedia offers JVNDBRSS^(*6) in RSS (RDF Site Summary) format for distribution.

Now JVNDBRSS supports the RSS auto-discovery^(*7). As shown in Figure 5, when the JVN iPedia top page is accessed with browsers compliant with the RSS auto-discovery, such as Internet Explorer and Firefox, the RSS file is detected automatically, making JVNDBRSS exceptionally accessible.

Figure 5. Support for RSS Auto-Discovery

5. Addition of CPE Information to JVNDBRSS

At IPA, the filtered vulnerability countermeasure information tool MyJVN^(*8) ( http://jvndb.jvn.jp/en/apis/myjvn/ ) is currently being used to test the implementation of the Common Platform Enumeration (CPE^(*9)).

By correlating the CPE name with the vulnerability countermeasure information registered in JVN iPedia, it becomes possible for MyJVN to not only display just relevant information to the user but also group information by vendor name and product name.

Now CPE information is supplemented to JVNDBRSS (Figure 6) to make it possible for JVN iPedia to distribute CPE information.

Through this addition, the platforms that need to implement countermeasures against the vulnerability can be discerned with the use of CPE information. Also, CPE information can be utilized for asset management to manage the entire information system.

Figure 6. Addition of CPE Information To JVNDBRSS

Footnote

(*1)Japan Vulnerability Notes. Vulnerability countermeasure portal site. Publishes vulnerability countermeasure handling status by product developers and supports system security countermeasures. Operated by IPA and JPCERT/CC.
http://jvn.jp/

(*2)National Vulnerability Database. Vulnerability database operated by NIST (National Institute of Standards and Technology).
http://nvd.nist.gov/

(*3)CWE: Common Weakness Enumeration. Refer to “CWE (Common Weakness Enumeration) Overview”.
http://www.ipa.go.jp/security/english/vuln/CWE_en.html

(*4)CVSS: Common Vulnerability Scoring System. Refer to “Common Vulnerability Scoring System CVSS v2 Overview”.
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (Japanese only)
For more information, please refer to CVSS 2.0.
http://www.first.org/cvss/cvss-guide.html

(*5)CVE: Common Vulnerabilities and Exposures. Refer to “CVE (Common Vulnerabilities and Exposures) Overview”.
http://www.ipa.go.jp/security/english/vuln/CVE_en.html

(*6)JVNDBRSS: Refer to “What is JVN iPedia?”
http://jvndb.jvn.jp/en/nav/jvndb.html

(*7)RSS Auto-discovery: Mechanism where the RSS file can be automatically detected by inserting the pass to the RSS file in the HTML file.

(*8)MyJVN: Filtered vulnerability countermeasure information tool that enables users to efficiently obtain only information relevant to the user from the vast number of vulnerability countermeasure information registered in JVN iPedia.
http://jvndb.jvn.jp/en/apis/myjvn/

(*9)CPE: Common Platform Enumeration.
Refer to “CPE (Common Platform Enumeration) Overview”.
http://www.ipa.go.jp/security/english/vuln/CPE_en.html

Reference

Quarterly Reports of the JVN iPedia Registration Status

Filtered Vulnerability Countermeasure Information Tool “MyJVN” English Version Released(Jan 15, 2009)
http://www.ipa.go.jp/security/english/vuln/200901_myjvn_english_en.html
Filtered Vulnerability Countermeasure Information Tool “MyJVN” Now Available(Oct 23, 2008)
http://www.ipa.go.jp/security/english/vuln/200810_MyJVN_en.html
JVN iPedia Upgraded to New Version(Sep 10, 2008)
http://www.ipa.go.jp/security/english/vuln/200809_JVN_iPedia_en.html
English Versions of JVN and JVN iPedia Released(May 21, 2008)
http://www.ipa.go.jp/security/english/vuln/200805_JVNiPedia_en.html

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail:

Top Page

IT Security