HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2009 1Q
~Started trial of automated collection of vulnerability countermeasure information released by product developers~
May 20, 2009
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the first quarter (January – March) of the year 2009.
Vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a portal site where vulnerability countermeasure information for software products utilized within the country of Japan is gathered.
It has collected information and conducted translations on (1)vulnerability countermeasure information made public by domestic software product developers, (2)vulnerability countermeasure information made public on the vulnerability portal site JVN(*1), and (3)the vulnerability countermeasure information made public by the vulnerability database NVD(*2), administrated by the National Institute of Standards and Technology (NIST)(*3), and has continued to issue the information since April 25, 2007.
The vulnerability countermeasure information registered in the 1st Quarter of 2009 (January 1, 2009 to March 31, 2009) to the Japanese version of JVN iPedia caused the cumulative total to surpass 6,000 cases.
The cases gathered from domestic developer sources were 5 cases (cumulative of 73 cases from start of publication), 31 cases were gathered from JVN (615 cumulative cases), and 260 cases from NVD (5,468 cumulative cases); bringing the quarterly total to 296 cases (6,156 cumulative cases) and surpassing the 6,000 case mark cumulatively (Table 1, Figure 1).
In the English version of JVN iPedia, 5 cases were gathered from domestic product developers (73 cumulative cases) and 16 from JVN (353 cumulative cases) for a quarterly total of 21 cases (426 cumulative cases).
| Source | 2009 1Q | Total Sum | |
|---|---|---|---|
| Japanese Version | Domestic Developers | 5 |
73 |
| JVN | 31 |
615 |
|
| NVD | 260 |
5,468 |
|
| Total | 296 |
6,156 |
|
| English Version | Domestic Developers | 5 |
73 |
| JVN | 16 |
353 |
|
| Total | 21 |
426 |
In order to encompass and store the vulnerability countermeasure information published by domestic software product developers and provide this information to users, the test run of the automatic collection of dispatched information in JVNRSS (Japan Vulnerability Notes RSS) format has been started (Figure 2).
The JVNRSS is a format employed by JVN, by which IT users and system engineers can gather information efficiently. On April 28, 2009, the “Guide for the Release of Vulnerability Countermeasure Information Utilizing JVNRSS” (http://www.ipa.go.jp/security/vuln/jvnrss.html (in Japanese)) was made public so product developers could practically put the JVNRSS format to use.
Product developers who wish to utilize automatic collection should dispatch vulnerability countermeasure information in the JVNRSS format on their websites, using this dispatch guide as a reference. At the same time, they should apply for automatic collection to IPA.
At IPA, the vulnerability countermeasure information dispatched in the JVNRSS format is continually collected automatically and registered in JVN iPedia, which in turn is provided as all-encompassing vulnerability countermeasure information for those such as IT users and system engineers.
Furthermore, by popularizing this JVNRSS format; IPA will develop an environment to enable users to efficiently implement vulnerability countermeasures.
Through the utilization of this system, product developers can widely provide vulnerability countermeasures to product users through the use of JVN iPedia. Furthermore, IPA will translate this vulnerability countermeasure information into English and register this information in the English version of JVN iPedia, providing the vulnerability countermeasures to product users overseas.
In March, the number of accesses to JVN iPedia reached a monthly count of approximately 400,000, and JVN iPedia is widely utilized as the largest domestic vulnerability countermeasure information database. IPA encourages that product developers will utilize this tool as the publication method for vulnerability countermeasure information in the future.
Figure 3 illustrates the number of vulnerability countermeasure information registered during the first quarter, sorted by their type utilizing CWE (Common Weakness Enumeration)(*4).
The types of vulnerabilities that have a significant number are CWE-399 (Resource Management Errors) with 56 cases, CWE-119 (Buffer Errors) with 37 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 32 cases, CWE-189 (Numeric Errors) with 21 cases, CWE-79 (Cross-site Scripting) with 19 cases, CWE-20 (Insufficient Input Validation) with 15 cases, CWE-200 (Information Leak) with 14 cases, and CWE-94 (Code Injection) with 9 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address such vulnerabilities, such as “How to Secure Your Web Site”(*5) and the “Secure Programming Course”(*6), to begin the implementation of security measures in the design phase of software development.
Figure 4 shows the annual changes in the severity of vulnerabilities added to JVN iPedia based on the date they were first made public by product developers or security portal sites.
The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2008.
JVN iPedia rates each vulnerability according to the CVSS(*7) and publishes its severity level(*8).
In 2009, 44 percent of the vulnerabilities were labeled level “High”(CVSS Base Score = 7.0-10.0), 44 percent were labeled level “Medium”(CVSS Base Score = 4.0-6.9) and 12 percent were level “Low”(CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities at high severity levels, it is essential for product consumers to check vulnerability information on a daily basis; new versions and security patches concerning the product in question should be employed without delay.
Figure 5 shows the annual changes in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Vulnerability countermeasure information is increasingly annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries.
Each year, many new applications are developed and, since they are accompanied by new vulnerabilities, improving security measures concerning application software should be of especially high priority.
Regarding OS such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerability cases initially had had an increasing trend, but the number of cases has dropped off as of 2005.
This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.
Around the year 2005, vulnerabilities have slowly proceeded to become published concerning embedded software products in intelligent home appliances such as network devices, mobile phones, and DVD recorders.
Figure 6 shows the annual changes in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 32 percent of the vulnerabilities registered are of OSS and 68 percent are of non-OSS.
From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.
Figure 7 and 8 illustrate the breakdown of software vendors registered on JVN iPedia, with Figure 7 a representation of the different OSS vendors, and Figure 8 a representation of non-OSS vendors.
As shown in Figure 7, the registered OSS vendors consist of 54 domestic vendors, 21 foreign vendors with a Japan office, and 176 foreign vendors without an office in Japan; cumulative of 251 vendors.
Similarly, as Figure 8 represents, the 176 registered non-OSS vendors consist of 95 domestic vendors, 48 foreign vendors with an office in Japan, and 33 foreign vendors without an office in Japan.
In terms of OSS vendors, a vast amount of vulnerability countermeasure information is registered from foreign vendors without offices in Japan. When utilizing OSS, if a product user does not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to consider contract arrangements for support and/or the use of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the first quarter of 2009.
Latest vulnerability information concerning frequently used products, such as Becky! Internet Mail, Apache Tomcat, PHP, and products utilizing PHP attracted numerous access counts.
Furthermore, vulnerability countermeasure information where some time has elapsed since the date they were published, such as DNS and virus security, Apache Tomcat, and Lhaplus, attracted high access counts, illustrating user interest in information concerning these products.
Table 3 lists the top 5 vulnerability countermeasure information accessed among the cases provided by domestic product developers.
Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2009-000011 |
3,232 |
6.8 |
2009/2/12 |
|
2 |
JVNDB-2008-001495 |
DNS cache poisoning vulnerability in multiple DNS products (in Japanese) |
2,636 |
6.4 |
2008/7/9 |
3 |
JVNDB-2009-000010 |
2,184 |
2.6 |
2009/2/26 |
|
4 |
JVNDB-2008-000050 |
Virus Security and Virus Security ZERO denial of service (DoS) vulnerability |
1,835 |
4.3 |
2008/8/12 |
5 |
JVNDB-2009-000008 |
Fulltext search CGI vulnerability allows third party to gain administrative privileges |
1,177 |
7.5 |
2009/1/23 |
6 |
JVNDB-2009-000006 |
1,170 |
4.3 |
2009/1/15 |
|
7 |
JVNDB-2009-000007 |
1,074 |
2.6 |
2009/1/20 |
|
8 |
JVNDB-2008-000084 |
923 |
2.6 |
2008/12/19 |
|
9 |
JVNDB-2009-000005 |
865 |
5.1 |
2009/1/9 |
|
10 |
JVNDB-2007-001017 |
Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese) |
846 |
4.3 |
2007/12/3 |
11 |
JVNDB-2009-000012 |
Buffer overflow vulnerability in ActiveX Control for Sony SNC series network cameras |
761 |
6.8 |
2009/2/23 |
12 |
JVNDB-2008-000009 |
755 |
4.3 |
2008/2/12 |
|
13 |
JVNDB-2009-000009 |
753 |
2.6 |
2009/2/10 |
|
14 |
JVNDB-2009-000003 |
726 |
4.3 |
2009/1/9 |
|
15 |
JVNDB-2009-000001 |
721 |
3.5 |
2009/1/7 |
|
16 |
JVNDB-2008-000086 |
721 |
5.0 |
2008/12/25 |
|
17 |
JVNDB-2009-000013 |
720 |
4.3 |
2009/2/25 |
|
18 |
JVNDB-2008-000022 |
682 |
6.8 |
2008/4/28 |
|
19 |
JVNDB-2009-000002 |
672 |
4.3 |
2009/1/8 |
|
20 |
JVNDB-2009-000014 |
MP Form Mail CGI vulnerability allows third party to gain administrative privileges |
660 |
7.5 |
2009/3/10 |
Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
603 |
3.6 |
2008/2/27 |
2 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
377 |
5.0 |
2008/4/4 |
3 |
JVNDB-2008-001647 |
360 |
7.5 |
2008/8/14 |
|
4 |
JVNDB-2008-001911 |
Groupmax Workflow - Development Kit for Active Server Pages Cross-Site Scripting Vulnerability |
340 |
5.0 |
2008/10/31 |
5 |
JVNDB-2008-001895 |
JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability |
248 |
6.5 |
2008/10/24 |
Note 1) Color Code for CVSS Base Score and Severity Level
CVSS Base Score =0.0~3.9 |
CVSS Base Score =4.0~6.9 |
CVSS Base Score =7.0~10.0 |
Severity Level =Low |
Severity Level =Medium |
Severity Level =High |
Note 2) Color Code for Published Date
Published in ~2008/2Q |
Published in 2008/3Q |
Published in 2008/4Q |
Published in 2009/1Q |
(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4)Refer to “CWE (Common Weakness Enumeration) Overview”:
http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*5)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html
(*6)Secure Programming Course (in Japanese):
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html
(*7)Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)
(*8)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2. CVSS (Common Vulnerability Scoring System).
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
