HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2008 3Q
JVN iPedia declared CWE-Compatible
CWE(Common Weakness Enumeration)
October 31, 2008
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the third quarter of the year 2008.
JVN iPedia( http://jvndb.jvn.jp/ ) is a database of vulnerability countermeasure information on IT products pervasively used in Japan. It is a collection of vulnerability information disclosed by the domestic software developers or published on JVN(*1) and on NVD(*2), a vulnerability database operated by NIST(*3), and has been in service since April 25, 2007.
About 300 vulnerabilities has been registered to JVN iPedia every quarter since its initial release of 3,562 vulnerabilities on April 25, 2007. As of September 30, 2008, the total number of vulnerabilities registered has grown to 5,347, of which 62 are collected from domestic software developers, 516 from JVN and 4,769 from NVD (see Figure 1 and Table 1).
In addition, the English version of JVN iPedia ( http://jvndb.jvn.jp/en/ ) was introduced on May 21, 2008, to promote the use of vulnerability information and strengthen international partnerships. The English version stores the total of 377 vulnerabilities, of which 62 are collected from domestic software developers and 315 are from JVN.
JVN iPedia began to support CWE(Common Weakness Enumeration) as a trial on September 10, 2008. IPA had worked on a few remaining requirements to make a CWE compatibility declaration and declared it CWE-Compatible on October 3, 2008.
The official list of organizations participating in the CWE Compatibility and Effectiveness Program is available on Mitre’s CWE web site(*4).
http://cwe.mitre.org/compatible/organizations.html
Among those CWE vulnerability types registered most in 2008/3Q(July – September) are CWE-399(Resource Management Error), CWE-264(Permissions, Privileges and Access Controls), CWE-20(Insufficient Input Validation), CWE-119(Buffer Errors (Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer)) and CWE-79(Failure to Sanitize Directives in a Web Page (aka ‘Cross-site scripting’ (XSS))) (see Figure 2).
Most of the product vulnerabilities reported are caused by well-known vulnerabilities. The software developers should be well aware of known vulnerabilities and integrate security in the early stages of product development.
As seen in Table 2, among most accessed vulnerability information in JVN iPedia are those on popular software, such as DNS, Lhaplus, Apache, Adobe Reader/Acrobat and Sun JRE. JVN iPedia gets more than 100,000 hits monthly and IPA hopes people continue to refer to and use JVN iPedia as a central reference point for vulnerability information.
During the third quarter of 2008 (from July 1 to September 30), the total of 305 vulnerabilities, of which 10 are collected from domestic software developers, 42 from JVN and 253 from NVD, have been registered to JVN iPedia (Table 1 and Figure 1).
The total sum of vulnerabilities registered since the initial release of JVN iPedia on April 25, 2007, is 5,347. Of those vulnerabilities, 62 are collected from domestic software vendors, 516 are from JVN and 4,769 are from NVD.
| Source | 2008 3Q | Total Sum |
|---|---|---|
| Domestic Developers | 10 |
62 |
| JVN | 42 |
516 |
| NVD | 253 |
4,769 |
| Total | 305 |
5,347 |
Figure 2 shows the number of vulnerabilities reported to JVN iPedia in 2008/3Q by CWE types.
The top 10 are: CWE-399(Resource Management Error) with 40 vulnerabilities, CWE-264(Permissions, Privileges and Access Controls) with 37, CWE-20(Insufficient Input Validation) with 35, CWE-119(Buffer Errors (Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer)) with 31, CWE-79(Failure to Sanitize Directives in a Web Page (aka ‘Cross-site scripting’ (XSS))) with 29, CWE-189(Numeric Errors) with 28, CWE-200(Information Leak (Information Disclosure)) with 14, CWE-94(Code Injection) with 10, CWE-16(Configuration) with 5 and CWE-22(Path Traversal) with 5.
These are all well-known vulnerabilities. Software developers should refer to the IPA guidelines, such as How to Secure Your Web Site(*5), and start implementing security measures in the design phase of software development.
JVN iPedia rates and publishes the severity(*6) of each vulnerability using CVSS(*7).
Figure 3 shows the annual changes in the severity of vulnerabilities added to JVN iPedia based on the date they were first made public.
So far in 2008, 46 percent of the vulnerabilities are labeled the level III (“High”, CVSS Base Score = 7.0-10.0), 49 percent are the level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 5 percent are the level I (“Low”, CVSS Base Score = 0.0-3.9).
The number of vulnerabilities disclosed has been increasing since 2004 and quite a number of them are rated as dangerous ones. The users need to check out vulnerability information on a daily basis and update the products they use to the latest version or apply security patches.
Figure 4 shows the annual changes in the kinds of software products registered to JVN iPedia for having vulnerabilities based on the date they were first made public.
The increase in the number of vulnerabilities found in application software in recent years is prominent. The application software includes desktop applications such as Internet Explorer, Mozilla FireFox, Microsoft Office, middle wares such as Web server applications and databases, or development platforms such as PHP, Java and GNU libraries. Many software applications are developed every year, some of which regrettably with vulnerabilities.
The number of vulnerabilities in OS, such as Windows, Mac OS, UNIX and Linux, had been on the raise till about 2005, but the number has been decreasing since then. Vulnerabilities are still found in OS every year but the developers seem to be getting quick to fix them in the subsequent release.
Since about 2005, the number of vulnerability countermeasure information on embedded software, such as network devices, cell phones and intelligence home appliance like DVD recorders, has been on the rise. In 200/3Q, vulnerabilities countermeasure information about iPhone and iPod touch has been released.
Figure 5 shows the annual changes in vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 37 percent of the vulnerabilities registered are of OSS and 63 percent are of non-OSS. As for the ratio between OSS and non-OSS, OSS had been on the raise from 1998 to 2003 and marked its highest in 2003, but it has been decreasing since then.
Figure 6 and 7 show breakdown of software vendors registered on JVN iPedia. Figure 6 is a breakdown of OSS vendors and Figure 7 of non-OSS vendors.
There are total of 229 OSS vendors, of which 51 are domestic vendors, 21 are oversea vendors with office in Japan, 157 are oversea vendors without office in Japan (Figure 6). For non-OSS vendors, there are total of 146 vendors, of which 91 are domestic vendors, 42 are oversea vendors with office in Japan and 13 are oversea vendors without office in Japan (Figure 7).
As seen in these figures, a number of vulnerabilities have been found in the products developed by the oversea vendors that do not have a Japanese office. When using OSS, if users do not know how to update software to the latest version or apply security patches, they may consider making some arrangements for the support or maintenance service offered by the vendor.
Table 2 is a list of top 20 most accessed vulnerability countermeasure information on JVN iPedia in 2008/3Q. The vulnerabilities of pervasively used products, such as DNS, Lhaplus, Apache, Adobe Reader/Acrobat and Sun JRE, with a high severity score and recent issue date have been accessed most.
Table 3 narrows the list to top 5 most accessed vulnerability countermeasure information collected from domestic software developers.
Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia
Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers
# |
ID |
Title |
CVSS Score |
Date Public |
1 |
JVNDB-2008-001150 |
JP1/HIBUN encryption/decryption and removable media control malfunction problems |
3.6 |
2008/03/14 |
2 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager denial of service vulnerability |
5.0 |
2008/05/09 |
3 |
JVNDB-2008-001347 |
JP1/Cm2/Network Node Manager web coordinated function multiple vulnerabilities |
7.5 |
2008/05/28 |
4 |
JVNDB-2008-001350 |
Hitachi Groupmax Collaboration products cross-site scripting vulnerability |
4.3 |
2008/05/28 |
5 |
JVNDB-2008-001647 |
7.5 |
2008/09/10 |
Note 1) Color Code for CVSS Base Score and Severity Level
CVSS Base Score =0.0~3.9 |
CVSS Base Score =4.0~6.9 |
CVSS Base Score =7.0~10.0 |
Severity Level =I(Low) |
Severity Level =II(Medium) |
Severity Level =III(High) |
Note 2) Color Code for Published Date
Published in 2007/4Q |
Published in 2008/1Q |
Published in 2008/2Q |
Published in 2008/3Q |
(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4)MITRE Corporation.
http://www.mitre.org/
(*5)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html
(*6)The article on JVN iPedia’s support of CVSS v2:
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*7)Introduction to CVSS v2:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
