HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2010 2Q
~Check information on old vulnerabilities regularly for updates
and make sure your system is clear of them~
Aug 6, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the second quarter (April June) of the year 2010.
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and the IT users can easily access. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information translated from NIST database now surpasses 7,500~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 2nd quarter of 2010 (April 1, 2010 to June 30, 2010), those gathered from domestic developers are 10 cases (cumulative of 98 cases from the launch of JVN iPedia), 38 cases are from JVN (787 cumulative cases), and 390 cases from NVD (7,561 cumulative cases), bringing a quarterly total to438 cases.
The number of vulnerability information on the products popularly used in Japan and translated from NVD are now over 7,500, making a cumulative total of 8,446 (Table 1, Figure 1).
Focusing on the types of the products reported to the Japanese version of JVN iPedia in the 2nd quarter of 2010, OS, such as Linux, UNIX, Windows and Mac OS, count 76, applications, such as Safari, Firefox, Microsoft Office, Java, Web servers and databases are 359, embedded software is 1 and SCADA (Supervisory Control And Data Acquisition) systems used in critical infrastructure are 2.
As for the English version of JVN iPedia, 10 cases were gathered from domestic developers (98 cumulative cases) and 20 from JVN (441 cumulative cases), making a quarterly total of 30 cases (539 cumulative cases).
Table 1. Registered Vulnerabilities in 2nd Quarter of 2010
| Information Source | 2010 2Q | Total Sum | |
|---|---|---|---|
| Japanese Version | Domestic Developers |
10
|
98
|
| JVN |
38
|
787
|
|
| NVD |
390
|
7,561
|
|
| Total |
438
|
8,446
|
|
| English Version | Domestic Developers |
10
|
98
|
| JVN |
20
|
441
|
|
| Total |
30
|
539
|
~A number of vulnerability information on popular products in Japan are made available~
Table 2 shows the number of vulnerabilities registered to the Japanese version of JVN iPedia by the types of products. Those categorized as OS are 2,694 cases, 5,575 for applications, 158 for embedded software and 19 for SCADA.
Table 2. Types of Products Registered
| Types of Products | Cases |
|---|---|
| OS (Operating System) |
2,694 Cases
|
| Applications |
5,575 Cases
|
| Embedded Software |
158 Cases
|
| SCADA |
19 Cases
|
| Total |
8,446 Cases
|
Some products in each category are reported repeatedly. As for OS, Linux products, such as Red Hat Enterprise Linux and MIRACLE LINUX, and UNIX products like HP-UX, Microsoft Windows and Mac OS are often reported. For Applications, desktop applications, such as Microsoft Office and Mozilla Firefox, Middleware like Oracle Database, and PHP and Java are named as example. Among embedded products, appliance products like routers and switches are often reported. For SCADA, the products of overseas vendors, such as GE-Fanuc, AREVA T&D, Rockwell Automation, are mainly reported.
A lot of vulnerability information on software used in Japan is published on a daily basis. IT users need to check vulnerability information daily and apply product updates and security patches without delay.
MyJVN (http://jvndb.jvn.jp/apis/myjvn/) offered by IPA enables to easily access vulnerability information by vendor name and product name. IPA hopes IT users make use of MyJVN and fix vulnerabilities as soon as possible.
~Check information on old vulnerabilities regularly and make sure your system is free of them~
Table 3 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia between July 2009 and June 2010, and Table 4 shows their ranking change by quarter
Among the top 20, the information on 14 vulnerabilities has been updated. Especially, Apache Tomcat (3rd) and Apache HTTP Server (10th) have been updated more than 10 times. In addition, 6 vulnerabilities have been updated after January 2010. The information on SSL and TLS (4th) has been updated on June 17, 2010. Based on the analysis, it seems that the vulnerability information that has been updated many times or updated recently attract access.
Focusing on the vulnerability’s CVSS(*4) level, only one vulnerability is ranked Level III (High) and most are Level I (Low) and II (Medium). Only 5 vulnerabilities in top 20 of this quarter (April 2010 –June 2010) have been ranked in the top 20 of the last 12 month (July 2009 – June 2010), meaning that the IT users’ interest on the vulnerability information is shifting.
After its initial disclosure, the vulnerability information could be updated to add affected products and/or vendor information. Sometimes, the information on old vulnerabilities is also updated, like Apache Tomcat (3rd) and Apache HTTP Server (10th) in Table 3.
As mentioned above, the information on old vulnerabilities may be updated from time to time. Website and system administrators should check vulnerability information relevant to their IT systems regularly and take proper measures if they find unpatched ones.
Table 3. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2009 � Jun. 2010]
|
# |
ID |
Title |
Access |
CVSS |
Date |
Date Last |
|---|---|---|---|---|---|---|
|
1 |
JVNDB-2008-001495 |
DNS cache poisoning vulnerability in multiple DNS products (in Japanese) |
5,966 |
6.4 |
2008/7/23 |
2009/2/24 |
|
2 |
JVNDB-2005-000601 |
3,720 |
2.6 |
2007/4/1 |
2007/12/3 |
|
|
3 |
JVNDB-2008-000009 |
3,695 |
4.3 |
2008/2/12 |
2010/1/5 |
|
|
4 |
JVNDB-2009-002319 |
SSL and TLS protocols renegotiation vulnerability (in Japanese) |
3,172 |
6.4 |
2009/12/14 |
2010/6/17 |
|
5 |
JVNDB-2008-000022 |
3,119 |
6.8 |
2008/4/28 |
2008/4/28 |
|
|
6 |
JVNDB-2009-000037 |
3,085 |
4.3 |
2009/6/18 |
2010/4/23 |
|
|
7 |
JVNDB-2009-000036 |
Virus Security and Virus Security ZERO denial of service (DoS) vulnerability |
3,032 |
4.3 |
2009/6/18 |
2010/4/23 |
|
8 |
JVNDB-2008-000050 |
3,009 |
4.3 |
2008/8/12 |
2008/8/12 |
|
|
9 |
JVNDB-2008-001043 |
2,972 |
7.4 |
2008/1/31 |
2008/11/23 |
|
|
10 |
JVNDB-2007-001017 |
Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese) |
2,938 |
4.3 |
2007/12/20 |
2009/11/13 |
|
11 |
JVNDB-2007-000819 |
Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap" |
2,897 |
4.3 |
2007/12/13 |
2009/8/10 |
|
12 |
JVNDB-2008-001647 |
2,873 |
7.5 |
2008/9/10 |
2009/3/30 |
|
|
13 |
JVNDB-2008-000018 |
2,800 |
4.3 |
2008/3/21 |
2009/10/27 |
|
|
14 |
JVNDB-2009-001911 |
XML signature HMAC truncation authentication bypass (in Japanese) |
2,779 |
5.0 |
2009/8/20 |
2010/2/26 |
|
15 |
JVNDB-2008-000084 |
2,719 |
2.6 |
2008/12/19 |
2009/6/23 |
|
|
16 |
JVNDB-2009-000010 |
2,695 |
2.6 |
2009/2/26 |
2009/2/26 |
|
|
17 |
JVNDB-2009-000053 |
2,496 |
7.1 |
2009/8/5 |
2009/8/5 |
|
|
18 |
JVNDB-2009-000068 |
Implementations of IPv6 may be vulnerable to denial of service (DoS) attacks |
2,478 |
5.7 |
2009/10/26 |
2010/1/25 |
|
19 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
2,439 |
3.6 |
2008/3/14 |
2008/3/14 |
|
20 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
2,423 |
5.0 |
2008/5/9 |
2008/5/9 |
Note 1) Color Code for CVSS Base Score and Severity Level
|
CVSS Base Score
=0.0~3.9 |
CVSS Base Score
=4.0~6.9 |
CVSS Base Score
=7.0~10.0 |
|
Severity Level
=Low |
Severity Level
=Medium |
Severity Level
=High |
Note 2) Color Code for Published Date
|
Published in 2007
|
Published in 2008
|
Published in 2009
|
Published in 2010
|
Table 4. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Quarterly Ranking]
|
# |
ID |
Title |
2009/3Q |
2009/4Q |
2010/1Q |
2010/2Q |
|---|---|---|---|---|---|---|
|
1 |
JVNDB-2008-001495 |
DNS cache poisoning vulnerability in multiple DNS products (in Japanese) |
1st |
1st |
2nd |
8th |
|
2 |
JVNDB-2005-000601 |
2nd |
4th |
10th |
24th |
|
|
3 |
JVNDB-2008-000009 |
3rd |
5th |
7th |
14th |
|
|
4 |
JVNDB-2009-002319 |
SSL and TLS protocols renegotiation vulnerability (in Japanese) |
- |
Outside |
1st |
1st |
|
5 |
JVNDB-2008-000022 |
19th |
6th |
11th |
22th |
|
|
6 |
JVNDB-2009-000037 |
5th |
19th |
17th |
23rd |
|
|
7 |
JVNDB-2009-000036 |
Virus Security and Virus Security ZERO denial of service (DoS) vulnerability |
9th |
25th |
9th |
21st |
|
8 |
JVNDB-2008-000050 |
6th |
14th |
19th |
31st |
|
|
9 |
JVNDB-2008-001043 |
22nd |
11th |
15th |
17th |
|
|
10 |
JVNDB-2007-001017 |
Improper HTTP method examination for Apache HTTP Server 413 Error Message (in Japanese) |
14th |
16th |
12th |
26th |
|
11 |
JVNDB-2007-000819 |
Cross-site scripting vulnerability in Apache HTTP Server "mod_imap" and "mod_imagemap" |
27th |
20th |
13th |
13th |
|
12 |
JVNDB-2008-001647 |
34th |
3rd |
20th |
47th |
|
|
13 |
JVNDB-2008-000018 |
31st |
7th |
16th |
34th |
|
|
14 |
JVNDB-2009-001911 |
XML signature HMAC truncation authentication bypass (in Japanese) |
62nd |
8th |
5th |
79th |
|
15 |
JVNDB-2008-000084 |
18th |
13th |
25th |
33rd |
|
|
16 |
JVNDB-2009-000010 |
12th |
23rd |
21st |
38th |
|
|
17 |
JVNDB-2009-000053 |
4th |
37th |
51th |
Outside |
|
|
18 |
JVNDB-2009-000068 |
Implementations of IPv6 may be vulnerable to denial of service (DoS) attacks |
- |
2nd |
18th |
36th |
|
19 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
47th |
10th |
28th |
48th |
|
20 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
38th |
18th |
30th |
41st |
CWE(*5) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 2 illustrates the number of vulnerability countermeasure information registered during 2nd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 70 cases, CWE-399 (Resource Management Errors) with 42 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 39 cases, CWE-79 (Cross-Site Scripting) with 30 cases, CWE-94 (Code Injection) with 25 cases, CWE-20 (Insufficient Input Validation) with 23 cases, CWE-189 (Numeric Errors) with 15 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as “How to Secure Your Web Site”(*6), “How to Use SQL Calls to Secure Your Web Site (*7)” and the “Secure Programming Course”(*8), to make sure to implement necessary security measures from the planning and design phase of software development.
Figure 3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or other means, like the release on the security portal sites. The publication of vulnerability countermeasure information has increased dramatically since 2004, and continued to show an increasing tendency through 2009.
JVN iPedia rates each vulnerability according to the CVSS(*4)and publishes its severity level(*9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for product users to check vulnerability information on a daily basis, and updates or security patches concerning the product in use should be applied without delay.
Figure 4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Publication of vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Safari, Internet Explorer, Firefox, Microsoft Office, middleware products such as web servers, application servers, databases, as well as PHP and Java. Since many new applications are developed each year and they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially high priority.
As for the operating systems such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerabilities initially had had an increasing trend, but the number dropped off as of 2005. This could be due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.
Around the year 2005, vulnerabilities in embedded software products like intelligent home appliances, such as network devices, cell phones, and DVD recorders, have slowly proceeded to become published.
In addition, around the year 2008, vulnerabilities in SCADA (Supervisory Control And Data Acquisition) systems used in critical infrastructures have been reported as well. 6 vulnerabilities were published in 2008, 9 in 2009 and 4 in 2010 so far, bringing a total number of reported SCADA vulnerabilities to 19.
Figure 5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 34 percent of the vulnerabilities registered are of OSS and 66 percent are of non-OSS. From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.
Figure 6 and 7 illustrate the breakdown of software developers (vendors) registered on JVN iPedia, with Figure 6 representing OSS vendors and Figure 7 representing non-OSS vendors.
As shown in Figure 6, the registered OSS vendors consist of 62 domestic vendors, 22 foreign vendors with Japan office, and 221 foreign vendors without office in Japan; cumulative total of 305 OSS vendors. Similarly, as Figure 7 represents, the 212 registered non-OSS vendors consist of 108 domestic vendors, 61 foreign vendors with office in Japan, and 43 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 5 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 2nd quarter of 2010 (April – June). Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, OpenSSL, Apache Tomcat, is still gaining a lot of attention. Among the recently released vulnerability information, such as the Ichitaro series, Cybozu, MODx, Cisco Router and Security Device Manager, also attracted a large number of access counts.
Table 6 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
Table 5. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Apr. 2010 - Jun. 2010]
|
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
| 1 |
JVNDB-2009-002319
|
1365
|
6.4
|
2009/12/14
|
|
| 2 |
JVNDB-2010-000015
|
1359
|
9.3
|
2010/4/12
|
|
| 3 |
JVNDB-2010-000016
|
1092
|
5.8
|
2010/4/20
|
|
| 4 |
JVNDB-2010-001229
|
1043
|
10.0
|
2010/4/9
|
|
| 5 |
JVNDB-2010-000012
|
961
|
7.5
|
2010/4/8
|
|
| 6 |
JVNDB-2010-000011
|
938
|
4.3
|
2010/4/7
|
|
| 7 |
JVNDB-2010-000014
|
936
|
4.3
|
2010/4/8
|
|
| 8 |
JVNDB-2008-001495
|
934
|
6.4
|
2008/7/23
|
|
| 9 |
JVNDB-2010-001371
|
741
|
10.0
|
2010/5/10
|
|
| 10 |
JVNDB-2010-000024
|
715
|
9.3
|
2010/6/1
|
|
| 11 |
JVNDB-2010-000010
|
697
|
7.5
|
2010/4/2
|
|
| 12 |
JVNDB-2010-000006
|
695
|
5.8
|
2010/3/5
|
|
| 13 |
JVNDB-2007-000819
|
676
|
4.3
|
2007/12/13
|
|
| 14 |
JVNDB-2008-000009
|
676
|
4.3
|
2008/2/12
|
|
| 15 |
JVNDB-2010-001537
|
674
|
9.3
|
2010/6/17
|
|
| 16 |
JVNDB-2009-000018
|
666
|
6.8
|
2009/4/7
|
|
| 17 |
JVNDB-2008-001043
|
661
|
7.4
|
2008/1/31
|
|
| 18 |
JVNDB-2010-001174
|
650
|
4.3
|
2010/3/23
|
|
| 19 |
JVNDB-2010-000013
|
633
|
4.3
|
2010/4/8
|
|
| 20 |
JVNDB-2010-000019
|
610
|
7.8
|
2010/5/17
|
Table 6. Top 5 Most Accessed Vulnerability Countermeasure Information from Domestic Developers [Apr. 2010 - Jun. 2010]
|
# |
ID |
Title |
Access |
CVSS |
Date |
|---|---|---|---|---|---|
|
1 |
JVNDB-2008-001313 |
JP1/Cm2/Network Node Manager Denial of Service Vulnerability |
459 |
5.0 |
2008/5/9 |
|
2 |
JVNDB-2008-001647 |
426 |
7.5 |
2008/9/10 |
|
|
3 |
JVNDB-2008-001150 |
JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems |
424 |
3.6 |
2008/3/14 |
|
4 |
JVNDB-2008-001895 |
JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability |
410 |
6.5 |
2008/11/26 |
|
5 |
JVNDB-2010-001204 |
329 |
5.0 |
2010/4/2 |
Note 1) Color Code for CVSS Base Score and Severity Level
|
CVSS Base Score
=0.0~3.9 |
CVSS Base Score
=4.0~6.9 |
CVSS Base Score
=7.0~10.0 |
|
Severity Level
=Low |
Severity Level
=Medium |
Severity Level
=High |
Note 2) Color Code for Published Date
|
Published in |
|
Published in 2010 |
(*1)Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2)National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3)National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4)Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
(*5)Refer to “CWE (Common Weakness Enumeration) Overview”
http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*6)How to Secure Your Web Site:
http://www.ipa.go.jp/security/english/third.html#websecurity
(*7)How to use SQL Calls to Secure Your Web Site:
http://www.ipa.go.jp/security/vuln/websecurity.html (in Japanese)
(*8)Secure Programming Course:
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html (in Japanese)
(*9)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
