IPA/ISEC：Vulnerabilities：JVN iPedia Registration Status for 2009 4Q

~Access to JVN iPedia now reached 1 million hits per month~

Feb 3, 2010
>> JAPANESE

To promote international collaboration and information sharing of vulnerability information, IPA has upped a notch on multilingualization of CVSS (vulnerability severity) Calculator, making it available now in 7 languages (Arabic, English, French, German, Japanese, Korean and Spanish).

In addition, IPA’s effort on promoting the global use of JVN iPedia is also blooming and JVN is now officially CVE-Compatible. IPA hopes that IT users continue to make the use of JVN iPedia as a portal to access vulnerability countermeasure information.

As for the characteristics of the year 2009, 5 conventional vulnerability types, such as buffer errors, resource management errors and permissions, privileges and access controls, accounted for 60 percents of the total reported cases.

Software developers should make sure to implement necessary security measures from the planning and design phase of software development.

(1)Access to JVN iPedia now reached 1 million hits per month

In the 4th quarter, the vulnerability countermeasure information, such as that on DNS, Jasmine, OpenSSL, Apache Tomcat, Lhaplus and Namazu, continued to have high access counts after some time has elapsed since their initial publication.

Among the vulnerabilities published in 2009, IPv6, XML digital signature tools, Cybozu family products and SugarCRM attracted numerous access counts, illustrating user interest in information concerning these products.

In the meantime, IPA released 2 easy-to-use tools that helps IT users utilize JVN iPedia, namely MyJVN Version Checker^(*1), a tool to check the version of software applications installed, and MyJVN Security Configuration Checker^(*2), a tool to assess the Windows security configuration.

These led to JVN iPedia reaching the mark of the 1 million hits per month in December 2009, a 5 times increase compared to the last year. IPA hopes that IT users continue to make the use of JVN iPedia as a portal to access vulnerability countermeasure information.

(2)Vulnerabilities registered in 4th quarter 2009

The vulnerability countermeasure information registered to the Japanese version of JVN iPedia in the 4th Quarter of 2009 (October 1, 2009 to December 31, 2009) totaled 351 cases (cumulative total of 7,646 cases).

Those gathered from domestic developers were 2 cases (cumulative of 85 cases from the start of JVN iPedia), 26 cases were gathered from JVN (724 cumulative cases), and 323 cases from NVD (6,837 cumulative cases); bringing the quarterly total to 351 cases (7,646 cumulative cases) (Table 1, Figure 1).

In the English version of JVN iPedia, 2 cases were gathered from domestic developers (85 cumulative cases) and 16 from JVN (413 cumulative cases) for a quarterly total of 18 cases (498 cumulative cases).

Table 1. Registered Vulnerabilities in 4th Quarter of 2009

 

(3)CVSS (severity of vulnerability) Calculator now available in 7 languages

Common Vulnerability Scoring System (CVSS^(*3)) is a vendor-independent vulnerability rating system designed to provide an open and standardized method for rating information system vulnerabilities.

By using CVSS, the severity of vulnerabilities can be quantitatively compared under the one single common standard. Also the relevant parties, such as vendors, security experts, system administrators and end users, can talk about vulnerability in a common language.

JVN iPedia supports CVSS and provides the CVSS Base Scores, which represent the inherent characteristics of each vulnerability.

With JVN iPedia CVSS Calculator, end users can calculate the CVSS Temporal Score (based on information such as exploitability and remediation level) and the CVSS Environmental Score (target distribution and damage potential) to help decide whether to respond to the vulnerability.

To promote international collaboration and information sharing of vulnerability information with the oversea Computer Security Incident Response Teams (CSIRTs), software developers and end users, IPA moved forwarded with the multilingualization of CVSS (vulnerability severity) Calculator.

In addition to English and Japanese, it is now provided in Arabic, French, German, Korean and Spanish (listed in alphabetical order), making it available in the total of 7 languages.

The new multilingual CVSS Calculator (Figure 2) is available at the following URL:
http://jvndb.jvn.jp/en/cvss/index.html (English Top Page)
http://jvndb.jvn.jp/cvss/index.html (Japanese Top Page)

(4)JVN now officially CVE-Compatible:
enables global use for vulnerability information gathering

Common Vulnerabilities and Exposures (CVE)^(*4) is a unique-identifier numbering system on vulnerabilities in IT products run by MITRE, a non-profit organization, with the support of the U.S. government.

It was launched in 1999 and has marked 10 years of operation. Many of the vulnerability checking tools and vulnerability advisory services use CVE.

Through the formal CVE compatibility evaluation process, MITRE approved that CVE identifiers are adequately implemented in JVN, JVN iPedia and MyJVN, and IPA is pleased to announce that JVN, JVN iPedia and MyJVN are now officially CVE-Compatible.
http://www.cve.mitre.org/news/index.html#jan082010a

With the CVE Compatibility, people can use JVN globally, for example, to search vulnerability information by CVE IDs and to check if different vulnerability advisories are talking about the same vulnerability.

IPA plans to go forward with the adoption of common standards, promoting the domestic and international flow of vulnerability countermeasure information and maintaining and improving upon the infrastructure that helps IT users take objective and efficient countermeasures against security vulnerabilities.

(5)5 particular vulnerabilities such as buffer errors accounted for 60 percent of reported cases

Common Weakness Enumeration (CWE)^(*5) is a hierarchically structured list of weakness types to help identifying software vulnerabilities.

Using CWE, people can identify and analyze the kinds of vulnerability (weakness types) that come in a wide variety, such as SQL injection, cross-site scripting and buffer overflow, and compare the vulnerabilities globally.

JVN iPedia uses CWE to identify the types of vulnerability. Figure 3 illustrates the annual changes in the types of vulnerability analyzed from the vulnerability countermeasure information registered to JVN iPedia.

Following the year 2008, 5 types of vulnerabilities, CWE-119 (Buffer Errors), CWE-399 (Resource Management Errors), CWE-264 (Permissions, Privileges and Access Controls), CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation), accounted for 60 percent of the total reported cases.

Among the vulnerabilities, CWE-79 (Cross-Site Scripting), CWE-20 (Improper Input Validation) and CWE-94 (Code Injection) are expanding their ratio. Most of these are well-known types of vulnerabilities.

Software developers should refer to the IPA guidelines that address these vulnerabilities, such as “How to Secure Your Web Site^(*6)” and the “Secure Programming Course^(*7)”, to make sure to implement necessary security measures from the planning and design phase of software development.

(6)About a vulnerability countermeasure database JVN iPedia

JVN iPedia( http://jvndb.jvn.jp/en ) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used within the country of Japan is gathered.

JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1)domestic software developers, (2)JVN^(*8), a vulnerability information portal site, and (3)NVD^(*9), a vulnerability information database run by National Institute of Standards and Technology (NIST)^(*10).

JVN iPedia has continued to make these information available to the public since April 25, 2007.

1. Summary of the 2009 4Q

1.1 Many well-known types of vulnerabilities still reported

Figure 4 illustrates the number of vulnerability countermeasure information registered during the 4th quarter, sorted by their vulnerability type using CWE.

The types of vulnerabilities that have been reported a lot are CWE-119 (Buffer Errors) with 52 cases, CWE-399 (Resource Management Errors) with 30 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 25 cases, CWE-94 (Code Injection) with 23 cases, CWE-189 (Numeric Errors) with 21 cases, CWE-20 (Insufficient Input Validation) with 19 cases and CWE-310 (Cryptographic Issues) with 15 cases. Most of these are well-known types of vulnerabilities.

Software developers should refer to the IPA guidelines that address these vulnerabilities, such as “How to Secure Your Web Site^(*6)” and the “Secure Programming Course^(*7)”, to make sure to implement necessary security measures from the planning and design phase of software development.

1.2 Severity of Vulnerabilities

Figure 5 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or by other means like security portal sites.

The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2008.

JVN iPedia rates each vulnerability according to the CVSS^(*3) and publishes its severity level^(*11).

As of the 4th quarter 2009 (January - December), 44 percent of the vulnerabilities were labeled level “High” (CVSS Base Score = 7.0-10.0), 50 percent were labeled level “Medium” (CVSS Base Score = 4.0-6.9) and 6 percent were level “Low” (CVSS Base Score = 0.0-3.9).

Considering the vast number of published vulnerabilities at high severity levels, it is essential for product users to check vulnerability information on a daily basis; updates and security patches concerning the product in question should be applied without delay.

1.3 Kinds of Products

Figure 6 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.

Publication of vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, and development/management platforms such as PHP, Java, and GNU libraries.

Since many new applications are developed each year and they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially high priority.

Regarding OS such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerabilities initially had had an increasing trend, but the number has dropped off as of 2005.

This is due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.

Around the year 2005, vulnerabilities in embedded software products like intelligent home appliances, such as network devices, cell phones, and DVD recorders, have slowly proceeded to become published.

In addition, around the year 2008, vulnerabilities in Supervisory Control And Data Acquisition (SCADA) systems used in critical infrastructure have been reported as well. 6 vulnerabilities were published during 2008 and 9 during 2009.

1.4 Open Source Software

Figure 7 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 30 percent of the vulnerabilities registered are of OSS and 70 percent are of non-OSS.

From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.

1.5 Product Vendors

Figure 8 and 9 illustrate the breakdown of software developers (vendors) registered on JVN iPedia, with Figure 8 representing OSS vendors and Figure 9 representing non-OSS vendors.

As shown in Figure 8, the registered OSS vendors consist of 57 domestic vendors, 21 foreign vendors with Japan office, and 216 foreign vendors without office in Japan; cumulative of 294 vendors.

Similarly, as Figure 9 represents, the 202 registered non-OSS vendors consist of 105 domestic vendors, 58 foreign vendors with office in Japan, and 39 foreign vendors without office in Japan.

In the case of OSS vendors, a vast amount of vulnerability countermeasure information is registered from foreign vendors without office in Japan.

When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the use of product support services provided by the vendor.

2. Most Accessed Vulnerability Countermeasure Information

Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 4th quarter of 2009.

Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, OpenSSL, Apache Tomcat, Lhaplus and Namazu, still marked high access counts, illustrating continuous user interest in information on these products.

Among the recently released vulnerability information, IPv6, Cybozu and PHP software also attracted a large number of access counts.

Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.

Table 2. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia

#	ID	Title	Access Count	CVSS Score	Date Public
1	JVNDB-2008-001495	DNS cache poisoning vulnerability in multiple DNS products (in Japanese)	2,066	6.4	2008/7/23
2	JVNDB-2009-000068	Implementations of IPv6 may be vulnerable to denial of service (DoS) attacks	1,308	5.7	2009/10/26
3	JVNDB-2008-001647	Jasmine WebLink Template Multiple Vulnerabilities	1,147	7.5	2008/9/10
4	JVNDB-2005-000601	OpenSSL version rollback vulnerability	1,099	2.6	2007/4/1
5	JVNDB-2008-000009	Apache Tomcat fails to properly handle cookie value	996	4.3	2008/2/12
6	JVNDB-2008-000022	Lhaplus buffer overflow vulnerability	979	6.8	2008/4/28
7	JVNDB-2008-000018	Namazu cross-site scripting vulnerability	916	4.3	2008/3/21
8	JVNDB-2009-001911	XML Digital Signature Authentication Bypass Vulnerability (in Japanese)	913	5.0	2009/8/20
9	JVNDB-2009-000067	Multiple Cybozu products vulnerable to cross-site scripting	841	2.6	2009/10/15
9	JVNDB-2008-001150	JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems	841	3.6	2008/3/14
11	JVNDB-2008-001043	X.Org Foundation X server buffer overflow vulnerability	838	7.4	2008/1/31
12	JVNDB-2009-000065	SugarCRM vulnerable to cross-site scripting	835	2.6	2009/10/2
13	JVNDB-2008-000084	PHP vulnerable to cross-site scripting	833	2.6	2008/12/19
14	JVNDB-2008-000050	Virus Security and Virus Security ZERO denial of service (DoS) vulnerability	823	4.3	2008/8/12
15	JVNDB-2008-000055	Blogn vulnerable to cross-site scripting	796	2.6	2008/9/1
16	JVNDB-2007-001017	Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese)	773	4.3	2007/12/20
17	JVNDB-2009-000064	Directory traversal vulnerability in multiple phpspot products	763	5.0	2009/9/18
18	JVNDB-2008-001313	JP1/Cm2/Network Node Manager Denial of Service Vulnerability	760	5.0	2008/5/9
19	JVNDB-2009-000037	Apache Tomcat denial of service (DoS) vulnerability	757	4.3	2009/6/18
20	JVNDB-2007-000819	Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap"	752	4.3	2007/12/13

 

Table 3. Top 5 Most Accessed Vulnerability Countermeasure Information From Domestic Developers

#	ID	Title	Access Count	CVSS Score	Date Public
1	JVNDB-2008-001647	Jasmine WebLink Template Multiple Vulnerabilities	1,147	7.5	2008/9/10
2	JVNDB-2008-001150	JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems	841	3.6	2008/3/14
3	JVNDB-2008-001313	JP1/Cm2/Network Node Manager Denial of Service Vulnerability	760	5.0	2008/5/9
4	JVNDB-2008-001895	JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability	616	6.5	2008/11/26
5	JVNDB-2008-001350	Hitachi Groupmax Collaboration Products Cross-Site Scripting Vulnerability	445	4.3	2008/5/28

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score =0.0～3.9	CVSS Base Score =4.0～6.9	CVSS Base Score =7.0～10.0
Severity Level =Low	Severity Level =Medium	Severity Level =High

Note 2) Color Code for Published Date

Published in 2007

Published in 2008

Published in 2009

 

Footnote

(*1)Released on November 30, 2009.
http://www.ipa.go.jp/security/english/vuln/200911_myjvn_vc_en.html

(*2)Released on December 21, 2009.
http://www.ipa.go.jp/security/english/vuln/200912_myjvn_cc_en.html

(*3)Common Vulnerability Scoring System (CVSS) Summary:
http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)

(*4)Common Vulnerabilities and Exposures. A standard, unique-identifier numbering system on vulnerabilities, providing a list of CVE-IDs for each vulnerability. For more information, refer to “CVE (Common Vulnerabilities and Exposures) Overview”:
http://www.ipa.go.jp/security/english/vuln/CVE_en.html

(*5)Refer to “CWE (Common Weakness Enumeration) Overview”:
http://www.ipa.go.jp/security/english/vuln/CWE_en.html

(*6)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/vuln/200806_websecurity_en.html

(*7)Secure Programming Course (in Japanese):
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html

(*8)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/

(*9)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*10)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*11)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2. CVSS (Common Vulnerability Scoring System).
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)

Reference

Contact