IPA/ISEC：Vulnerabilities：JVN iPedia Registration Status for 2008 4Q

1.1 Many Well-Known Vulnerabilities Still Left Unattended

Figure 1 illustrates the number of vulnerability countermeasure information registered during this fourth quarter, sorted by their type utilizing CWE (Common Weakness Enumeration)^(*4).

The types of vulnerabilities that have a significant number are CWE-264(Permissions, Privileges, and Access Controls) with 61 cases, CWE-79(Cross-site Scripting) with 52 cases, CWE-20(Insufficient Input Validation) with 51 cases, CWE-119(Failure to Constrain Operations within the Bounds of a Memory Buffer) with 49 cases, CWE-399(Resource Management Errors) with 48 cases, CWE-89(SQL Injection) with 33 cases, CWE-189(Numeric Errors) with 27 cases, and CWE-200(Information Leak) with 23 cases.

Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as “How to Secure Your Web Site”^(*5) and the “Secure Programming Course”^(*6), and begin the implementation of security measures in the design phase of software development.

1.2 Publication of CWE/SANS Top 25 Most Dangerous Programming Errors

On January 12, 2009, MITRE^(*7) and SANS^(*8) compiled and issued �2009 CWE/SANS Top 25 Most Dangerous Programming Errors�^(*9). IPA also took part in this publication^(*10), where over 30 organizations were involved, including CERT, Symantec, Microsoft, Red Hat, the U.S. Department of Homeland Security, and the United States National Security Agency.

The top 25 list was created by selecting, from over 700 different types of CWE vulnerabilities, those that can lead to serious software vulnerabilities. They occur frequently, are often easy to find, and easy to exploit.

This list can be classified into three categories: (1)的nsecure Interactions between Components�, (2)迭isky Resource Management�, and (3)撤orous Defenses�.

(1)的nsecure Interactions between Components� consist of nine vulnerabilities, such as CWE-20(Improper Input validation), CWE-89(SQL Injection), CWE-79(Cross-site Scripting), CWE-79(OS Command Injection), CWE-352(Cross-Site Request Forgery), and CWE-362(Race Condition).

(2)“Risky Resource Management” consist of nine vulnerabilities, such as CWE-119 (Failure to Constrain Operations within the Bounds of a Memory Buffer), CWE-642(External Control of Critical State Data), and CWE-94(Code Injection).

(3)撤orous Defenses� consist of seven vulnerabilities, such as CWE-285(Improper Access Control), CWE-327(Use of a Broken or Risky Cryptographic Algorithm), and CWE-259(Hard-Coded Password).

The top 25 vulnerability list was compiled with expectation that it will function as an educational tool for software developers and propagate the development and programming of products that do not incorporate such vulnerabilities.

1.3 JVN iPedia, MyJVN Declaration for CVE Compatibility

CVE(Common Vulnerabilities and Exposures)^(*11) is a system conducted by MITRE, a non-profit organization supported by the United States government, which consists of applying a unique identifier to each vulnerabilities in IT products. Many vulnerability assessment tools and vulnerability countermeasure information services utilize the CVE system.

By designating a unique, common identifier to each vulnerability, it is possible to discern whether the same vulnerability is concerned regarding vulnerability information provided by organization A and that by organization X. It is also possible to develop an association and cross-reference between vulnerability countermeasure information using CVE identifiers.

MITRE works with over 80 organizations, including CERT/CC, HP, IBM, OSVDB, Red Hat, and Symantec, for this list and collaborate together on maintaining the uniqueness of each identifier and gathering of vulnerability information.

In order to conform to and participate in the MITRE CVE system, JVN iPedia has also applied its published vulnerabilities for CVE assignment, and in October of 2008 was officially included as one of the CVE sources recognized by MITRE^(*12).

Furthermore, in order to indicate its intention to cooperate, JVN iPedia, together with the filtered vulnerability countermeasure information tool MyJVN, made available to the public in October of 2008, declared for CVE compatibility in December of 2008^(*13).

IPA plans to go forward with the adoption of these common standards, promoting the flow of vulnerability countermeasure information at the global level and maintaining and improving upon the infrastructure that helps users take objective and efficient countermeasures against vulnerabilities.

1.4 Vulnerabilities Registered in 2008 4Q

As can be seen in Table 1 and Figure 2, during the fourth quarter of 2008 (from October 1st through December 31st), a total of 513 vulnerability cases – 6 cases from domestic software developers, 67 cases compiled through JVN, and 440 cases gathered from NVD – were registered to JVN iPedia.

The total sum of vulnerability countermeasure information registered since the initial release of JVN iPedia on April 25, 2007, is 5,860 cases. Of those vulnerabilities, 68 were collected from domestic software vendors, 584 cases from JVN, and 5,208 cases from NVD.

The number of accesses to JVN iPedia has exceeded 200,000 hits per month, and expectations are growing for the continuation of JVN iPedia in its role as a vulnerability countermeasure information database.

Table 1. Vulnerabilities Registered in 2008/4Q

2.1 Severity of Vulnerabilities

Figure 3 shows the annual changes in the severity of vulnerabilities added to JVN iPedia based on the date they were first made public by product developers or security portal sites.

The publication of vulnerability countermeasure information has increased dramatically since 2004; a total of 1,270 cases were made public in 2008.

JVN iPedia rates and publishes the severity level^(*14) of each vulnerability according to the CVSS^(*15). In 2008, 49 percent of the vulnerabilities were labeled level “High”(CVSS Base Score = 7.0-10.0), 45 percent were labeled level “Medium”(CVSS Base Score = 4.0-6.9) and 6 percent were level “Low”(CVSS Base Score = 0.0-3.9).

Considering the vast number of published vulnerabilities at high severity levels, it is essential for product users to check vulnerability information on a daily basis; new versions and security patches concerning the products in question should be employed without delay.

2.2 Kinds of Products

Figure 4 shows the annual changes in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.

Vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries.

Each year, many new applications are developed and, since they are accompanied by new vulnerabilities, improving security measures concerning application software should be of especially high priority.

Regarding OS such as Windows, Mac OS, UNIX and Linux, the number of published vulnerability cases initially had had an increasing trend, but the number of cases has dropped off as of 2005.

This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.

Around the year 2005, vulnerabilities have slowly proceeded to become published concerning embedded software products in intelligent home appliances such as network devices, mobile phones and DVD recorders.

2.3 Open Source Software

Figure 5 shows the annual changes in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 31 percent of the vulnerabilities registered are of OSS and 69 percent are of non-OSS.

From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.

2.4 Product Vendors

Figure 6 and 7 illustrate the breakdown of software vendors registered on JVN iPedia, with Figure 6 a representation of OSS vendors, and Figure 7 a representation of non-OSS vendors.

As shown in Figure 6, the 248 registered OSS vendors consist of 53 domestic vendors, 21 foreign vendors with a Japan office, and 174 foreign vendors without an office in Japan.

Similarly, as Figure 7 represents, the 167 registered non-OSS vendors consist of 95 domestic vendors, 47 foreign vendors with an office in Japan, and 25 foreign vendors without an office in Japan.

In terms of OSS vendors, a vast amount of vulnerability countermeasure information is registered from foreign vendors without offices in Japan.

When utilizing OSS, if a product user does not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to consider contract arrangements for support and/or the use of product support services provided by the vendor.

Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the fourth quarter of 2008. Latest vulnerability information concerning frequently used products, such as DNS and Apache, and products that conduct content management, such as Movable Type, EC-CUBE, and Blosxom, attracted numerous access counts.

Table 3 lists the top 5 vulnerability countermeasure information accessed among the cases provided by domestic product developers.

Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia

Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers

Note 1) Color Code for CVSS Base Score and Severity Level

Note 2) Color Code for Published Date

(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/

(*2)National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*3)National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4)Refer to “CWE (Common Weakness Enumeration) Overview”:
http://www.ipa.go.jp/security/english/vuln/CWE_en.html

(*5)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html

(*6)Secure Programming Course (in Japanese):
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html

(*7)MITRE Corporation: A not-for-profit organization that provides information technology support and research and development to the U.S. government.
http://www.mitre.org/

(*8)SANS Institute: Organization offering IT security education and conducts research with government and private companies.
http://www.sans.org/

(*9)http://cwe.mitre.org/top25/

(*10)http://cwe.mitre.org/top25/contributors.html

(*11)Specification system in which a unique, common identification number, called a “CVE identifier (CVE-ID)”, is allotted to a vulnerability and managed/run by the non-profit American MITRE corporation. Refer to “CWE (Common Weakness Enumeration) Overview” for a summary:
http://www.ipa.go.jp/security/english/vuln/CVE_en.html

(*12)http://cve.mitre.org/data/refs/index.html#sources

(*13)http://cve.mitre.org/compatible/organizations.html
#information_technology_promotion_agency_japan_ipa

(*14)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2. CVSS (Common Vulnerability Scoring System).
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)

(*15)Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html

• Quarterly Reports of the JVN iPedia Registration Status

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: