HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2008 2Q
First quarterly analysis report
on vulnerabilities found in IT products widely used in Japan
August 15, 2008
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) started to publish quarterly analysis reports on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, and has issued the first report covering the second quarter of the year 2008.
JVN iPedia( http://jvndb.jvn.jp/ ) is a database of vulnerability countermeasure information on IT products pervasively used in Japan. It is a collection of vulnerability information disclosed by the domestic software developers, or published on JVN(*1), a vulnerability information portal, and on NVD(*2), a vulnerability database operated by NIST(*3), and has been operational since April 25, 2007.
To help the software developers and users understand vulnerability trends and encourage security measures, IPA began publishing quarterly analysis reports on the vulnerabilities registered to JVN iPedia, starting with this report for the second quarter of the year 2008.
As seen in Figure 1, about 300 vulnerabilities per quarter has been registered to JVN iPedia since its initial release of 3,562 vulnerabilities on April 24, 2007. As of June 30, 2008, the number of vulnerabilities registered has grown to 5,042, of which 52 are collected from domestic software developers, 472 from JVN and 4,518 from NVD.
IPA will promote awareness of JVN iPedia and increase its effort to collect vulnerability information disclosed independently by domestic software developers.
As seen in Figure 2, annual trends of vulnerabilities added to JVN iPedia suggests that the number of vulnerabilities disclosed, a noticeable portion of which are highly marked on the severity scale, has been increasing since 2004 and the users are recommended to check out vulnerability information on a daily basis and update the products they use to the latest version or apply security patches.
As seen in Figure 3, a number of well-known vulnerabilities, such as buffer overflow, lack of access control and cross-site scripting, are still a hot topic and quite a number of cases have been reported to IPA in the last few years. The software developers should be well aware of known vulnerabilities and integrate security in the early stages of design phase of a product development.
As seen in Table 2, Most accessed vulnerability data in JVN iPedia are those about popular software, such as Lhaplus, Mozilla Firefox, Adobe Reader/Acrobat, Microsoft Excel and Sun JRE. JVN iPedia gets more than 100,000 hits monthly and IPA hopes people continue to refer to and use JVN iPedia as a central reference point for vulnerability information.
In addition, the English version of JVN iPedia( http://jvndb.jvn.jp/en/ ) was released on May 21, 2008, to promote the use of vulnerability information and strengthen international partnerships.
During the second quarter of 2008 (from April 1 to June 30), the total of 298 vulnerabilities, of which 8 are collected from domestic software developers, 24 from JVN and 266 from NVD, have been registered to JVN iPedia (Table 1 and Figure 1). The total sum of vulnerabilities registered since the initial release of JVN iPedia on April 25, 2007, is 5,042 and has reached a milestone of 5,000 this quarter. Of those vulnerabilities, 52 are collected from domestic software vendors, 472 are from JVN and 4,518 are from NVD.
| Source | 2008 2Q | Total Sum |
|---|---|---|
| Domestic Developers | 8 |
52 |
| JVN | 24 |
472 |
| NVD | 266 |
4,518 |
| Total | 298 |
5,042 |
JVN iPedia rates and publishes the severity(*4) of each vulnerability using CVSS(*5).
Figure 2 shows the annual changes in the severity of vulnerabilities added to JVN iPedia based on the date they were first made public.
So far in 2008, 45 percent of the vulnerabilities are labeled the level III (“High”, CVSS Base Score = 7.0-10.0), 50 percent are the level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 5 percent are the level I (“Low”, CVSS Base Score = 0.0-3.9).
The number of vulnerabilities disclosed has been increasing since 2004 and quite a number of them are rated as dangerous ones. The users need to check out vulnerability information on a daily basis and update the products they use to the latest version or apply security patches.
Figure 3 shows the annual changes in the types of vulnerabilities added to JVN iPedia based on the date they were first made public.
As shown in the figure below, a number of well-known vulnerabilities, such as buffer overflow (the first buffer overflow vulnerability case on JVN iPedia was published in 1998), lack of access control (the first in 1999) and cross-site scripting (the first in 2000), have been published.
The software developers are advised to refer How to Secure Your Web Site(*6), which are the security guidelines offered free by IPA, and integrate security in the early stage of design phase of a software development.
Figure 4 shows the annual changes in the kinds of software products registered to JVN iPedia for having vulnerabilities based on the date they were first made public.
The increase in the number of vulnerabilities found in application software in recent years is prominent. The application software includes desktop applications such as Internet Explorer, Mozilla FireFox, Microsoft Office, middle wares such as Web server applications and databases, or development platforms such as PHP, Java and GNU libraries. Many software applications are developed every year, some of which regrettably with vulnerabilities.
The number of vulnerabilities in OS, such as Windows, Mac OS, UNIX and Linux, had been on the raise till about 2005, but the number has been decreasing since then. Vulnerabilities are still found in OS every year but the developers seem to be getting quick to fix them in the subsequent release.
Meanwhile, a new category of embedded software emerged and the vulnerabilities in network devices such as routers and switches, peripheral devices such as printers and hard disks and intelligent home appliances such as cell phones and DVD recorders, have begun appearing.
Figure 5 shows the annual changes in vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 37 percent of the vulnerabilities registered are of OSS and 63 percent are of non-OSS. As for the ratio between OSS and non-OSS, OSS had been on the raise from 1998 to 2003 and marked its highest in 2003, but it has been decreasing since then.
Figure 6 and 7 show breakdown of software vendors registered on JVN iPedia. Figure 6 is a breakdown of OSS vendors and Figure 7 of non-OSS vendors.
There are total of 211 OSS vendors, of which 47 are domestic vendors, 20 are oversea vendors with office in Japan, 144 are oversea vendors without office in Japan (Figure 6). For non-OSS vendors, there are total of 144 vendors, of which 87 are domestic vendors, 40 are oversea vendors with office in Japan and 17 are oversea vendors without office in Japan (Figure 7).
As seen in these figures, a number of vulnerabilities have been found in the products developed by the oversea vendors that do not have a Japanese office. When using OSS, if users do not know how to update software to the latest version or apply security patches, they may consider making some arrangements for the support or maintenance service offered by the vendor.
Table 2 is a list of top 20 most accessed vulnerability countermeasure information on JVN iPedia during the second quarter of 2008. The vulnerabilities of pervasively used products, such as Lhaplus, Mozilla Firefox, Adobe Reader/Acrobat, Microsoft Excel and Sun JR, with a high severity score and recently published ones have been accessed most. Table 3 narrows the list to top 5 most accessed vulnerability countermeasure information collected from domestic software developers.
Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia
# |
ID |
Title |
CVSS Severity |
Date Public |
1 |
Lhaplus buffer overflow vulnerability |
6.8 |
2008/04/28 |
|
2 |
Mozilla Firefox cross-site scripting vulnerability |
2.6 |
2008/04/04 |
|
3 |
(in Japanese) |
10 |
2008/02/07 |
|
4 |
(in Japanese) |
10 |
2008/01/15 |
|
5 |
Sun Java Runtime Environment (JRE) contains a vulnerability in processing XSLT transformations |
6.8 |
2008/03/11 |
|
6 |
(in Japanese) |
4.3 |
2007/12/03 |
|
7 |
Sony mylo COM-2 does not verify server SSL certificate |
4.3 |
2008/04/23 |
|
8 |
Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap" |
4.3 |
2007/12/13 |
|
9 |
Cross-site scripting vulnerabilities in multiple Bluemoon Inc. XOOPS modules |
4.3 |
2008/04/28 |
|
10 |
Multiple I-O DATA DEVICE wireless LAN routers default configuration does not set authentication |
7.5 |
2008/03/18 |
|
11 |
X.Org Foundation X server buffer overflow vulnerability |
7.4 |
2008/01/17 |
|
12 |
PerlMailer cross-site scripting vulnerability |
4.3 |
2008/03/27 |
|
13 |
Namazu cross-site scripting vulnerability |
4.3 |
2008/03/21 |
|
14 |
(in Japanese) |
10 |
2007/12/10 |
|
15 |
Multiple Yamaha routers vulnerable to cross-site request forgery |
4.0 |
2008/01/28 |
|
16 |
Apache Tomcat fails to properly handle cookie value |
4.3 |
2008/02/12 |
|
17 |
FTP bounce vulnerability in multiple Canon digital multifunction copiers and laser beam printers |
5.0 |
2008/03/05 |
|
18 |
Sleipnir and Grani vulnerable to arbitrary script execution when Bookmark search results are restored from history |
2.6 |
2008/06/04 |
|
19 |
DesignForm cross-site scripting vulnerability |
4.3 |
2008/03/27 |
|
20 |
Flash Player vulnerable in handling cross-domain policy files |
2.6 |
2007/12/20 |
Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers
# |
ID |
Title |
CVSS Severity |
Date Public |
1 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
5.0 |
2008/04/04 |
|
2 |
Hitachi Groupmax Collaboration Products Cross-Site Scripting Vulnerability |
4.3 |
2008/04/25 |
|
3 |
JP1/Cm2/Network Node Manager Web Coordinated Function Multiple Vulnerabilities |
7.5 |
2008/04/21 |
|
4 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
3.6 |
2008/02/27 |
|
5 |
Groupmax World Wide Web Desktop/BUNSHOKANRI (=DocumentManagement) Cross-Site Scripting Vulnerability |
4.3 |
2008/04/21 |
(*1)Japan Vulnerability Notes: a vulnerability information portal operated by IPA and JPCERT/CC ( http://jvn.jp/en/ ). It publishes information on the product developer’s response to the found vulnerabilities and helps users secure their systems.
(*2)National Vulnerability Database: a vulnerability database operated by NIST ( http://nvd.nist.gov/nvd.cfm ).
(*3)National Institute of Standards and Technology: a U.S federal agency that develops and promotes measure-ment, standards and technology ( http://www.nist.gov/ ).
(*4)The article on JVN iPedia’s support of CVSS v2:
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*5)Introduction to CVSS v2:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html
(*6)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
