HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2010 3Q
~Vulnerability Information Concerning Critical Infrastructure Also Provided~
November 9, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the third quarter (July - September) of the year 2010.
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 9,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 3rd quarter of 2010 (July 1, 2010 to September 30, 2010), those gathered from domestic developers are 12 cases (110 cumulative cases from the launch of JVN iPedia), 52 cases are from JVN (839 cumulative cases), and 517 cases from NVD (8,078 cumulative cases), bringing a quarterly total to 518 cases (9,027 cumulative cases). The number of vulnerability information stored on JVN iPedia is now over 9,000 (Table 1, Figure 1).
Some of the examples of the vulnerability information collected in JVN iPedia are those about virtualization software, such as VMWare and Critix XenServer, used for cloud computing in getting IT services via the Internet (153 cases), and those about Opera, a popular browser on the mobile terminals like smart phones (90 cases).
As for the English version of JVN iPedia, 12 cases were gathered from domestic developers (110 cumulative cases) and 9 from JVN (450 cumulative cases), making a quarterly total to 21 cases (560 cumulative cases).
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 12 cases | 110 cases |
| JVN | 52 cases | 839 cases | |
| NVD | 517 cases | 8,078 cases | |
| Total | 581 cases | 9,027 cases | |
| English Version | Domestic Product Developers | 12 cases | 110 cases |
| JVN | 9 cases | 450 cases | |
| Total | 21 cases | 560 cases |
~Many vulnerability countermeasure information on the products using DLL(*4) being released~
Windows DLL Hijack Vulnerability(*5) is one of the vulnerability information registered to JVN iPedia in 2010 3Q. If exploited, an attacker could make the user load a fraudulent DLL and execute arbitrary code. This vulnerability affects a wide range of products that use DLL. The software developers should make sure that the programs do not load a DLL from anywhere unsafe.
In addition, Siemens Simatic WinCC and Simatic PCS 7 Default Password Security Bypass Vulnerability(*6), a vulnerability of a SCADA system used in critical infrastructures, has been reported. It is essential for SCADA users to check on vulnerability information on a daily basis, and apply updates and/or security patches concerning the product in use without delay.
~MyJVN makes it easy and efficient to check on vulnerability information~
The Japanese version of JVN iPedia (http://jvndb.jvn.jp/) has over a million hits per month. According to the analysis, most of them are access through MyJVN(*7), a user interface to access and utilize JVN iPedia, and it accounts for 70 percent of the total access count.
By using MyJVN, IT users can easily and efficiently collect vulnerability information, and/or check if the applications installed on their computer have been kept up-to-date. IPA hopes IT managers and users make use of MyJVN to protect their computers.
CWE (*9) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 2 illustrates the number of vulnerability countermeasure information registered during 3rd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 95 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 60 cases, CWE-20 (Insufficient Input Validation) with 50 cases, CWE-94 (Code Injection) with 50 cases, CWE-399 (Resource Management Errors) with 46 cases, CWE-189 (Numeric Errors) with 34 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as "How to Secure Your Web Site"(*10), "How to Use SQL Calls to Secure Your Web Site"(*11) and the "Secure Programming Course"(*12), to make sure to implement necessary security measures from the planning and design phase of software development.
JVN iPedia rates each vulnerability according to the CVSS(*13) and publishes its severity level(*14).
Figure 3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or other means, like the release on the security portal sites. The publication of vulnerability countermeasure information has continued to show an increasing tendency since 2004 and a high percentage of them are serious ones.
As of September 30, 2010, 46 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 9 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Publication of vulnerability countermeasure information is increasing annually for application software, including desktop applications such as Adobe Reader, Adobe Flash Player, Safari, Internet Explorer, Firefox, middleware products such as web servers, application servers, databases, and those like PHP and Java. Since many new applications are developed each year and they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially high priority.
As for the operating systems such as Windows, Mac OS, UNIX, and Linux, the number of published vulnerabilities initially had had an increasing trend, but the number dropped off as of 2005. This could be due to the fact that even though new vulnerabilities are discovered each year, vulnerability countermeasures concerning OS are implemented promptly in the subsequent product.
Around the year 2005, vulnerabilities in embedded software products like intelligent home appliances, such as network devices, cell phones, and DVD recorders, have slowly proceeded to become published.
In addition, around the year 2008, vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems used in critical infrastructures have been reported as well. 6 vulnerabilities were published in 2008, 9 in 2009 and 5 in 2010 so far, bringing a total number of reported SCADA vulnerabilities to 20.
On the recent days, the Stuxnet worm that exploits Windows Shell Vulnerability (MS10-046) and specially targeted at SCADA has been a hot topic.
It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. 34 percent of the vulnerabilities registered are of OSS and 66 percent are of non-OSS. From an annual perspective concerning the OSS to non-OSS ratio, OSS had had a successively upward trend from 1998 to 2003, but after marking its highest point in 2003, the ratio of OSS has demonstrated a decreasing trend.
Figure 6 and 7 illustrate the breakdown of software developers (vendors) registered on JVN iPedia, with Figure 6 representing OSS vendors and Figure 7 representing non-OSS vendors.
As shown in Figure 6, the registered OSS vendors consist of 62 domestic vendors, 24 foreign vendors with Japan office, and 224 foreign vendors without office in Japan; a cumulative total of 310 OSS vendors. Similarly, as Figure 7 represents, the total of 224 registered non-OSS vendors consist of 111 domestic vendors, 63 foreign vendors with office in Japan, and 50 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 3rd quarter of 2010 (July - September). Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS and SSL, is still getting a lot of attention. Among the recently released vulnerability information, such as Apache HTTP Server, Explzh, Winny, Apache Tomcat, OpenSSL, ActiveGeckoBrowser, the Ichitaro series and OpenPNE, also attracted a large number of access counts.
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
| # | ID | Title | Access Counts |
CVSS Score |
Date Public |
|---|---|---|---|---|---|
| 1 | JVNDB-2008-001313 | JP1/Cm2/Network Node Manager Denial of Service Vulnerability | 323 | 5.0 | 2008/5/9 |
| 2 | JVNDB-2010-001204 | Accela BizSearch Access Control Bypass Vulnerability | 314 | 5.0 | 2010/4/2 |
| 3 | JVNDB-2008-001150 | JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems | 302 | 3.6 | 2008/3/14 |
| 4 | JVNDB-2008-001895 | JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability | 299 | 6.5 | 2008/11/26 |
| 5 | JVNDB-2010-001545 | Forced Shutdown or Restart with JP1/ServerConductor/Deployment Manager | 278 | 7.8 | 2010/6/22 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2008 and before |
Published in 2009 | Published in 2010 |
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) DLL: Dynamic Link Library. A software component that is loaded when executing a program
(*5) http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-001999.html
(*6) http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-001829.html
(*7) A user interface to access and utilize JVN iPedia
http://jvndb.jvn.jp/apis/myjvn/index.html
(*8) A collection of software interfaces to use JVN iPedia via the Internet
http://jvndb.jvn.jp/apis/index.html
(*9) Refer to “CWE (Common Weakness Enumeration) Overview”:
http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*10) How to Secure Your Web Site:
http://www.ipa.go.jp/security/vuln/websecurity.html
(*11) How to Use SQL Calls to Secure Your Web Site:
http://www.ipa.go.jp/security/vuln/websecurity.html
(*12) Secure Programming Course:
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html (in Japanese)
(*13) Common Vulnerability Scoring System (CVSS) v2 Summary:
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)
(*14) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
A Complete Guide to the Common Vulnerability Scoring System Version 2.0:
http://www.first.org/cvss/cvss-guide.html (FIRST - Forum of Incident Response and Security Teams)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
