HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2009 2Q
~Evaluation and Implementation of Vulnerability Types Utilizing the Common Weakness Enumerator (CWE) ~
July 24, 2009
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the second quarter (April - June) of the year 2009.
Vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a portal site where vulnerability countermeasure information for software products utilized within the country of Japan is gathered.
It has gathered information and conducted translations on (1) vulnerability countermeasure information made public by domestic software product developers, (2) vulnerability countermeasure information made public on the vulnerability portal site JVN(*1), and (3) the vulnerability countermeasure information made public by the National Institute of Standards and Technology (NIST)(*2)administered vulnerability database NVD(*3), and has continued to issue the information since April 25, 2007.
The vulnerability countermeasure information registered in the 2nd Quarter of 2009 (April 1, 2009 to June 30, 2009) to the Japanese version of JVN iPedia totaled 510 cases (cumulative total of 6,666 cases).
The cases gathered from domestic developer sources were 1 case (cumulative of 74 cases from start of publication), 55 cases were gathered from JVN (670 cumulative cases), and 454 cases from NVD (5,922 cumulative cases) (Table 1, Figure 1).
In the English version of JVN iPedia, 1 case was gathered from domestic product developers (74 cumulative cases) and 24 from JVN (377 cumulative cases) for a quarterly total of 25 cases (451 cumulative cases).
| Source | 2009 2Q | Total Sum | |
|---|---|---|---|
| Japanese Version | Domestic Developers | 1 |
74 |
| JVN | 55 |
670 |
|
| NVD | 454 |
5,922 |
|
| Total | 510 |
6,666 |
|
| English Version | Domestic Developers | 1 |
74 |
| JVN | 24 |
377 |
|
| Total | 25 |
451 |
JVN iPedia has been implementing the CWE, Common Weakness Enumeration, to classify different vulnerabilities since September of 2008.
Also, the CWE classification information continues to be expanded to vulnerability countermeasure information registered before the implementation of this classification method. Of the vulnerability information currently registered to JVN iPedia, 4,400 vulnerability countermeasure information entries are possible to be classified and analyzed by CWE.
Furthermore, JVN iPedia underwent a version upgrade on June 18, 2009, in which the 19 weakness types of the CWE list utilized in JVN iPedia were translated into Japanese. This information is displayed by clicking CWE classification identifier shown in the References section in the JVN iPedia. It is also possible to display this information by clicking the CWE classification identifier in section 4 of "CWE(Common Weakness Enumeration) Overview".
The CWE list contains information such as a vulnerability summary, the likelihood of exploit, common consequences, vulnerability mitigation measures, demonstrative coding examples, and observed examples by the vulnerability concerned. This list reduces the occurrence of vulnerability, and it is also possible to be applied as a reference dictionary for recurrence prevention.
Figure 2 displays the transition in the types of vulnerabilities published annually. Each year, the five vulnerability types of CWE-119 (Buffer Errors), CWE-399 (Resource Management Errors), CWE-264 (Permissions, Privileges, and Access Controls), and CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation) make up over 60% of the vulnerabilities registered that year.
Also, a tendency toward the increase in proportion of CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation), and CWE-94 (Code Injection) can be seen.
These are well-known vulnerability types. It is necessary for product developers to use references, such as "How to Secure Your Web Site 3rd Edition" released and published by IPA concerning these vulnerabilities, for the consideration of information security from the planning/design phase of software product development.
In order to encompass and store vulnerability countermeasure published by domestic software product developers and provide this information to users, the test run of the automatic collection of released information in JVNRSS(*4) (Japan Vulnerability Notes RSS) format has been ongoing since commencement on April 28, 2009 (Figure 3).
The organizations participated in the transmission of vulnerability countermeasure information in JVNRSS format is entailed in "The Automatic Collection of Vulnerability Countermeasure Information Released by Product Developers (in Japanese)".
Through the utilization of this framework, product developers can widely provide vulnerability countermeasures to product users through the use of JVN iPedia. Furthermore, IPA will translate this vulnerability countermeasure information into English and register this information in the English version of JVN iPedia, providing the vulnerability countermeasures to product users overseas.
Henceforth, it is with expectation that many product developers will participate in this new framework. For further information or concerning application for participation, please refer to 敵uide for the Dispatch of Vulnerability Countermeasure Information Utilizing JVNRSS�, which is linked within 典he Automatic Collection of Vulnerability Countermeasure Information Released by Product Developers�.
Vulnerability countermeasure information such as DNS and virus security, Apache Tomcat, and Open SSL continue to be accessed by many after a period has elapsed since the initial publication, indicating the attention the information is attracting from users.
Also, products that are commonly used, such as iPhone OS, the 的chitaro� series, and products utilizing PHP or Perl, recorded high access counts among the information published as of late (Table 2).
JVN iPedia recorded over 400,000 accesses in the month of June, raising expectations that it will be more widely utilized as a database for aggregating vulnerability countermeasure information in the future.
Figure 4 illustrates the number of vulnerability countermeasure information registered during the first quarter, sorted by their type utilizing CWE.
The types of vulnerabilities that have a significant number are: CWE-20 (Insufficient Input Validation) with 61 cases, CWE-79 (Cross-site Scripting) with 53 cases, CWE-119 (Buffer Errors) with 51 cases, CWE-399 (Resource Management Error) with 38 cases, CWE-189 (Numeric Errors) with 30 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 29 cases, and CWE-94 (Code Injection) with 21 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address such vulnerabilities, such as “How to Secure Your Web Site”(*5), for the consideration of information security from the planning/design phase of software product development.
Figure 5 shows the annual transitions in the severity of vulnerabilities added to JVN iPedia based on the date they were first made public by product developers or security portal sites.
The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2008.
JVN iPedia rates each vulnerability according to the CVSS(*6) and publishes its severity level(*7).
In the first half of 2009 (January – June), 37 percent of the vulnerabilities were labeled level “High”(CVSS Base Score = 7.0-10.0), 56 percent were labeled level “Medium”(CVSS Base Score = 4.0-6.9) and 7 percent were level “Low”(CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities at high severity levels, it is essential for product consumers to retain information on a daily basis; new versions and security patches concerning the product in question should be employed without delay.
Figure 6 shows the annual changes in the type of products registered to JVN iPedia for vulnerabilities, based on their respective publication dates.
Vulnerability countermeasure information is increasingly annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries.
Each year, many new applications are developed and, since they are accompanied by new vulnerabilities, improving security measures concerning application software should be of especially high priority.
Regarding OS such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerability cases initially had had an increasing trend, but the number of cases has dropped off as of 2005.
This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.
Around the year 2005, vulnerabilities have slowly proceeded to become published concerning embedded software products in intelligent home appliances such as network devices, mobile phones, and DVD recorders.
Figure 7 shows the annual changes in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 32 percent of the vulnerabilities registered are of OSS and 68 percent are of non-OSS.
From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS decreased in 2004 before demonstrating little change in the past several years.
Figure 8 and 9 illustrate the breakdown of software vendors registered on JVN iPedia, with Figure 8 a representation of the different OSS vendors, and Figure 9 a representation of non-OSS vendors.
As shown in Figure 8, the 278 registered OSS vendors consist of 56 domestic vendors, 21 foreign vendors with a Japan office, and 201 foreign vendors without an office in Japan. Similarly, as Figure 9 represents, the 194 registered non-OSS vendors consist of 99 domestic vendors, 57 foreign vendors with an office in Japan, and 38 foreign vendors without an office in Japan.
In terms of OSS vendors, a vast amount of vulnerability countermeasure information is registered from foreign vendors without offices in Japan.
When utilizing OSS, if a product user does not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to consider contract arrangements for support and/or the use of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the second quarter of 2009.
Vulnerability countermeasure information where some time has elapsed since the date they were published, such as DNS and virus security, Apache Tomcat, and Open SSL, attracted high access counts, illustrating user interest in information concerning these products.
Latest vulnerability information concerning frequently used products, such as iPhone OS, the “Ichitaro” series, and products utilizing PHP or Perl also attracted numerous access counts.
Table 3 lists the top 5 vulnerability countermeasure information accessed among the cases provided by domestic product developers.
Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2008-001495 |
DNS cache poisoning vulnerability in multiple DNS products (in Japanese) |
1,510 |
6.4 |
2008/7/9 |
2 |
JVNDB-2008-000050 |
Virus Security and Virus Security ZERO denial of service (DoS) vulnerability |
1,411 |
4.3 |
2008/8/12 |
3 |
JVNDB-2005-000601 |
1,203 |
2.6 |
2005/10/11 |
|
4 |
JVNDB-2009-000010 |
1,112 |
2.6 |
2009/2/26 |
|
5 |
JVNDB-2009-000040 |
1,005 |
7.8 |
2009/6/18 |
|
6 |
JVNDB-2009-000018 |
Buffer overflow vulnerability in “Ichitaro” series (in Japanese) |
995 |
6.8 |
2009/4/7 |
7 |
JVNDB-2009-000032 |
Directory traversal vulnerability in multiple Cisco Systems products |
943 |
10.0 |
2009/5/29 |
8 |
JVNDB-2006-000594 |
Buffer overflow vulnerability in SSL_get_shared_ciphers() variable in OpenSSL (in Japanese) |
918 |
10.0 |
2006/9/28 |
9 |
JVNDB-2009-000016 |
907 |
7.5 |
2009/3/31 |
|
10 |
JVNDB-2008-000009 |
873 |
4.3 |
2008/2/12 |
|
11 |
JVNDB-2009-000017 |
822 |
4.3 |
2009/4/2 |
|
12 |
JVNDB-2008-001807 |
Denial of service vulnerability in zlib_stateful_init variable in OpenSSL (in Japanese) |
821 |
5.0 |
2008/7/10 |
13 |
JVNDB-2004-000554 |
774 |
4.3 |
2004/12/15 |
|
14 |
JVNDB-2007-001017 |
Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese) |
750 |
4.3 |
2007/12/3 |
15 |
JVNDB-2008-000018 |
721 |
4.3 |
2008/3/21 |
|
16 |
JVNDB-2009-001131 |
Arbitrary code execution vulnerability in Adobe Reader and Adobe Acrobat (in Japanese) |
700 |
10.0 |
2009/3/18 |
17 |
JVNDB-2009-000019 |
Cross-site scripting vulnerability in apricot.php from LovPop.net |
684 |
4.3 |
2009/4/16 |
18 |
JVNDB-2008-001647 |
670 |
7.5 |
2008/8/14 |
|
19 |
JVNDB-2008-000084 |
643 |
2.6 |
2008/12/19 |
|
20 |
JVNDB-2009-000020 |
642 |
4.3 |
2009/4/24 |
Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2008-001647 |
670 |
7.5 |
2008/8/14 |
|
2 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
419 |
3.6 |
2008/2/27 |
3 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
409 |
5.0 |
2008/4/4 |
4 |
JVNDB-2009-001135 |
Fujitsu Jasmine HTTP Response Splitting Vulnerability When Executing WebLink Template |
314 |
6.8 |
2009/2/19 |
5 |
JVNDB-2008-001895 |
JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability |
301 |
6.5 |
2008/10/24 |
Note 1) Color Code for CVSS Base Score and Severity Level
CVSS Base Score =0.0~3.9 |
CVSS Base Score =4.0~6.9 |
CVSS Base Score =7.0~10.0 |
Severity Level =Low |
Severity Level =Medium |
Severity Level =High |
Note 2) Color Code for Published Date
Published in ~2008/3Q |
Published in 2008/4Q |
Published in 2009/1Q |
Published in 2009/2Q |
(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*3)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*4)RSS format employed by JVN, which allows IT users and system engineers to gather information more efficiently.
(*5)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html
(*6)Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)
(*7)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2. CVSS (Common Vulnerability Scoring System).
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
