HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2009 3Q
~JVN iPedia now stores over 7,000 vulnerability information~
Nov 11, 2009
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the third quarter (July – September) of the year 2009.
Vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used within the country of Japan is gathered.
JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1)domestic software developers, (2)JVN(*1), a vulnerability information portal site, and (3)NVD(*2), a vulnerability information database run by National Institute of Standards and Technology (NIST)(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
The vulnerability countermeasure information registered to the Japanese version of JVN iPedia reached the cumulative total of over 7,000 cases in the 3rd Quarter of 2009 (July 1, 2009 to September 30, 2009).
Those gathered from domestic developers were 9 cases (cumulative of 83 cases from the start of JVN iPedia), 28 cases were gathered from JVN (698 cumulative cases), and 592 cases from NVD (6,514 cumulative cases); bringing the quarterly total to 629 cases (7,295 cumulative cases) (Table 1, Figure 1).
In the English version of JVN iPedia, 9 cases were gathered from domestic developers (83 cumulative cases) and 21 from JVN (398 cumulative cases) for a quarterly total of 30 cases (481 cumulative cases).
| Information Source | 2009 3Q | Total Sum | |
|---|---|---|---|
| Japanese Version | Domestic Developers | 9 |
83 |
| JVN | 28 |
698 |
|
| NVD | 592 |
6,514 |
|
| Total | 629 |
7,295 |
|
| English Version | Domestic Developers | 9 |
83 |
| JVN | 21 |
398 |
|
| Total | 30 |
481 |
Common Vulnerabilities and Exposures (CVE)(*4) is a unique-identifier numbering system on vulnerabilities in IT products run by MITRE, a non-profit organization, with the support of the U.S. government. It was launched in 1999 and has marked 10 years of operation on September 29, 2009.
Many of the vulnerability checking tools and vulnerability advisory services use CVE. By assigning unique, common identifiers (CVE-ID) for vulnerabilities found in IT products, people can use the CVE-IDs to see if different vulnerability advisories are talking about the same vulnerability or to enable cross-referencing and making associations among the advisories.
To clarify IPA’s support of CVE, IPA had made the CVE Compatibility Declaration for JVN iPedia, JVN(Japan Vulnerability Notes) and MyJVN(Filtered Vulnerability Countermeasure Information Tool) in December 2008.
In the following process, IPA submitted the CVE Compatibility Requirements Evaluation Form to MITRE for certification. After the evaluation, JVN iPedia, JVN and MyJVN are to become “Officially CVE-Compatible”.
(JVN iPedia) http://cve.mitre.org/compatible/questionnaires/106.html
(JVN) http://cve.mitre.org/compatible/questionnaires/104.html
(MyJVN) http://cve.mitre.org/compatible/questionnaires/105.html
IPA plans to go forward with the adoption of these common standards, promoting the flow of vulnerability countermeasure information at the global level and maintaining and improving upon the infrastructure that helps users take objective and efficient countermeasures against security vulnerabilities.
JVN iPedia has started its test run of automatic collection of vulnerability countermeasure information released in the JVNRSS (Japan Vulnerability Notes RSS)(*5) format since April 28, 2009.
The product vendors offering the vulnerability countermeasure information in the JVNRSS format are listed on the IPA web site: “Automatic Collection of Vulnerability Countermeasure Information Published by Product Vendors” ( http://www.ipa.go.jp/security/vuln/jvnrss.html (in Japanese)).
As of the 3rd quarter 2009, NEC Corporation and Fujitsu Ltd. now support JVNRSS 2.0 in addition to Hitachi Ltd.
IPA hopes that the product vendors will proactively participate in the scheme to widely reach and encourage their product users to implement vulnerability countermeasures.
For more information and how to participate in the automatic collection of vulnerability countermeasure information, please refer to the “Guide for the Release of Vulnerability Countermeasure Information Utilizing JVNRSS” ( http://www.ipa.go.jp/security/vuln/jvnrss.html (in Japanese)) on the IPA web site: “Automatic Collection of Vulnerability Countermeasure Information Published by Product Vendors”.
In the 3rd quarter, the vulnerability countermeasure information, such as that on DNS, OpenSSL, Apache Tomcat and Virus Security, continued to mark high access counts after some time has elapsed since their initial publication, illustrating user interest in information concerning these products.
Recently released vulnerability information about popular products, such as about FreeNAS, ATOK, and software based on PHP or Perl, also attracted numerous access counts.
JVN iPedia has marked over 500,000 hits for September. It is about 3 times more than a year ago. IPA hopes that IT users continue to make more use of JVN iPedia as a portal to access vulnerability countermeasure information.
Figure 2 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot are CWE-119 (Buffer Errors) with 83 cases, CWE-79 (Cross-site Scripting) with 66 cases, CWE-399 (Resource Management Errors) with 59 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 49 cases, CWE-20 (Improper Input Validation) with 37 cases, CWE-200 (Information Leak) with 36 cases, and CWE-94 (Code Injection) with 31 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address such vulnerabilities, such as “How to Secure Your Web Site”(*6), to make sure to implement necessary security measures from the design phase of software development.
Figure 3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or by other means like security portal sites.
The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2008.
JVN iPedia rates each vulnerability according to the CVSS(*7) and publishes its severity level(*8).
As of the 3rd quarter 2009 (January - September), 42 percent of the vulnerabilities were labeled level “High”(CVSS Base Score = 7.0-10.0), 56 percent were labeled level “Medium”(CVSS Base Score = 4.0-6.9) and 7 percent were level “Low”(CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities at high severity levels, it is essential for product users to check vulnerability information on a daily basis; updates and security patches concerning the product in question should be applied without delay.
Figure 4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries.
Each year, many new applications are developed and, since they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially high priority.
Regarding OS such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerabilities initially had had an increasing trend, but the number has dropped off as of 2005.
This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.
Around the year 2005, vulnerabilities in embedded software products like intelligent home appliances, such as network devices, cell phones, and DVD recorders, have slowly proceeded to become published.
Figure 5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 31 percent of the vulnerabilities registered are of OSS and 69 percent are of non-OSS.
From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.
Figure 6 and 7 illustrate the breakdown of software developers (vendors) registered on JVN iPedia, with Figure 6 representing OSS vendors and Figure 7 representing non-OSS vendors.
As shown in Figure 6, the registered OSS vendors consist of 56 domestic vendors, 21 foreign vendors with Japan office, and 209 foreign vendors without office in Japan; cumulative of 286 vendors.
Similarly, as Figure 7 represents, the 199 registered non-OSS vendors consist of 103 domestic vendors, 57 foreign vendors with office in Japan, and 39 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information is registered from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the use of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 3rd quarter of 2009.
Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, OpenSSL, Apache Tomcat and Virus Security, still attracted high access counts, illustrating continuous user interest in information on these products.
Also, recently released vulnerability information concerning popular products, such as FreeNAS, ATOK, and software based on PHP or Perl, also attracted a large number of access counts.
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information on JVN iPedia
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2008-001495 |
DNS cache poisoning vulnerability in multiple DNS products (in Japanese) |
1,633 |
6.4 |
2008/7/23 |
2 |
JVNDB-2005-000601 |
1,183 |
2.6 |
2007/4/1 |
|
3 |
JVNDB-2008-000009 |
1,075 |
4.3 |
2008/2/12 |
|
4 |
JVNDB-2009-000053 |
1,065 |
7.1 |
2009/8/5 |
|
5 |
JVNDB-2009-000037 |
989 |
4.3 |
2009/6/18 |
|
6 |
JVNDB-2008-000050 |
Virus Security and Virus Security ZERO denial of service (DoS) vulnerability |
966 |
4.3 |
2008/8/12 |
7 |
JVNDB-2009-000057 |
ATOK Screen Lock Security Bypass Vulnerability (in Japanese) |
924 |
7.2 |
2009/9/2 |
8 |
JVNDB-2009-000046 |
PHP-I-BOARD from Let's PHP! vulnerable to directory traversal |
845 |
5.0 |
2009/6/25 |
8 |
JVNDB-2009-000036 |
845 |
4.3 |
2009/6/18 |
|
10 |
JVNDB-2009-000048 |
838 |
4.3 |
2009/7/14 |
|
11 |
JVNDB-2009-000056 |
815 |
6.5 |
2009/8/24 |
|
11 |
JVNDB-2009-000010 |
815 |
2.6 |
2009/2/26 |
|
13 |
JVNDB-2009-000050 |
809 |
6.8 |
2009/7/29 |
|
14 |
JVNDB-2007-001017 |
Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese) |
795 |
4.3 |
2007/12/20 |
15 |
JVNDB-2009-000040 |
778 |
7.8 |
2009/6/18 |
|
16 |
JVNDB-2009-000043 |
770 |
5.0 |
2009/6/24 |
|
16 |
JVNDB-2009-000042 |
770 |
2.6 |
2009/6/24 |
|
18 |
JVNDB-2008-000084 |
751 |
2.6 |
2008/12/19 |
|
19 |
JVNDB-2008-000022 |
738 |
6.8 |
2008/4/28 |
|
20 |
JVNDB-2009-000045 |
PHP-I-BOARD from Let's PHP! vulnerable to cross-site scripting |
733 |
4.3 |
2009/6/25 |
Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
1 |
JVNDB-2008-001647 |
627 |
7.5 |
2008/9/10 |
|
2 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
616 |
5.0 |
2008/5/9 |
3 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
576 |
3.6 |
2008/3/14 |
4 |
JVNDB-2009-001544 |
535 |
10.0 |
2009/7/1 |
|
5 |
JVNDB-2008-001895 |
JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability |
476 |
6.5 |
2008/11/26 |
Note 1) Color Code for CVSS Base Score and Severity Level
CVSS Base Score =0.0~3.9 |
CVSS Base Score =4.0~6.9 |
CVSS Base Score =7.0~10.0 |
Severity Level =Low |
Severity Level =Medium |
Severity Level =High |
Note 2) Color Code for Published Date
Published in 2007 |
Published in 2008 |
Published in 2009 |
(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4)Refer to CVE (Common Vulnerabilities and Exposures) Overview:
http://www.ipa.go.jp/security/english/vuln/CVE_en.html
(*5)RSS format employed by JVN, which allows IT users and system engineers to gather information more efficiently.
(*6)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html
(*7)Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)
(*8)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2. CVSS (Common Vulnerability Scoring System).
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
