HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2011 1Q
Apr. 19, 2011
>> JAPANESE
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the vulnerability information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 10,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 1st quarter of 2011 (January 1 to March 31, 2011), those gathered from domestic developers are 2 cases (118 cumulative cases from the launch of JVN iPedia), 121 cases are from JVN (1,116 cumulative cases), and 461 cases from NVD (8,977 cumulative cases), bringing a quarterly total to 584 cases (10,211 cumulative cases). The number of vulnerability information stored on JVN iPedia is now over 10,000 (Table 1, Figure 1).
In recent years, as smartphones have grown more popular, applications for Android have also increased. During 2011/1Q (January 1 to March 31, 2011), security issues in smartphones were sometimes pointed out. In addition to iPhone by Apple Inc., 12 vulnerabilities in Android by Google Inc. and 10 in Blackberry by Research In Motion Limited were added to JVN iPedia.
As for the English version of JVN iPedia, 1 case was gathered from domestic developers (117 cumulative cases) and 24 from JVN (505 cumulative cases), making a quarterly total to 25 cases (622 cumulative cases).
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 2 cases | 118 cases |
| JVN | 121 cases | 1,116 cases | |
| NVD | 461 cases | 8,977 cases | |
| Total | 584 cases | 10,211 cases | |
| English Version | Domestic Product Developers | 1 cases | 117 cases |
| JVN | 24 cases | 505 cases | |
| Total | 25 cases | 622 cases |
~Vulnerability information for a variety of product categories is available with JVN iPedia~
As of the end of March 2011, 10,211 vulnerabilities are stored in the Japanese version of JVN iPedia. The number of venders registered in JVN iPedia is 572 and the number of the software products are 2,477.
When breaking down the software products by their intended use, we can see that JVN iPedia covers a various categories of products. For example, not just PC applications like web browsers and word processors, but also applications for servers, smartphones, smart home appliances, industrial control systems such as SCADA (Supervisory Control And Dada Acquisition) systems.
Table 2 shows the top 15 vendors where registered vulnerabilities are organized by product vendor. The 1st is Red Hat, Inc. with 3,528 vulnerabilities in its products and the 2nd is Oracle Corporation with 2,292 vulnerabilities. As shown in the table, a lot of vulnerabilities about well-known vendors and popular software are reported. With JVN iPedia, people who use those software can easily access vulnerability information about them.
It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
| No. | Vendor | Software Product (Popular products) |
Number of Registered Vulnerabilities |
|---|---|---|---|
| 1 | Red Hat | Enterprise Linux, Desktop | 3,528 |
| 2 | Oracle | Oracle Database, Oracle Solaris | 2,292 |
| 3 | Miracle Linux | MIRACLE LINUX, Asianux Server | 2,221 |
| 4 | Microsoft | Microsoft Windows, Microsoft Office | 1,538 |
| 5 | Apple | Apple Mac OS, QuickTime, Safari | 1,441 |
| 6 | Turbolinux | Turbolinux Server, Turbolinux Workstation | 986 |
| 7 | Hewlett-Packard | HP-UX, OpenView | 785 |
| 8 | IBM | AIX, DB2, WebSphere | 601 |
| 9 | Mozilla Foundation | Firefox, Thunderbird, SeaMonkey | 530 |
| 10 | Adobe Systems | Adobe Reader, Adobe Flash Player | 447 |
| 11 | Cisco Systems | IOS, Adaptive Security Appliances | 361 |
| 12 | kernel.org | Linux Kernel, Linux-PAM | 310 |
| 13 | VMware | VMware Player, VMware Server | 274 |
| 14 | PHP Group | PHP | 204 |
| 15 | Apache Software Foundation | Apache HTTP Server, Tomcat | 176 |
~Lots of vulnerabilities have been found in widely used PC applications. Update now!~
These days, cyber attacks that exploit the applications IT users commonly use in business and private are on the rise. Such attacks are often used in targeted attacks(*4) and viruses, and could cause serious harm.
JVN iPedia rates each vulnerability according to the CVSS(*5) and publishes its severity level(*6).
Figure 2 shows the severity of vulnerabilities organized by software based on the threat for the standard applications, which ranked 3rd in the 2011 version of 10 Major Security Threats(*7). There are 318 vulnerabilities in Microsoft Internet Explorer and 302 in Microsoft Office family software. Many other applications also have more than 100 vulnerabilities. When focusing on the severity, 70 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 26 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 2 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Figure 3 shows the annual transitions in the number of vulnerabilities in the standard applications registered to JVN iPedia. The number of reports on vulnerability in Adobe Acrobat, Adobe Reader and Adobe Flash Player is increasing year by year. From 2008 to 2010, the number increased threefold (for Adobe Flash Player, increased from 20 to 57) or even fourfold (for Adobe Acrobat and Adobe Reader, increased from 17 to 68).
It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
IPA offers a free tool "MyJVN Version Checker(*8)" that enables IT users to easily check if software installed in their PC are the latest version. Use the tools like MyJVN Version Checker proactively and keep the software up-to-date and vulnerability-free.
On March 15, 2011, MyJVN Version Checker and MyJVN Security Configuration Checker were officially admitted as products that had adopted OVAL by MITRE through OVAL Adoption Program. This has proved and ensures that MyJVN Version Checker and MyJVN Security Configuration Checker have interoperability with an international OVAL implementation specification. OVAL (Open Vulnerability Assessment Language)(*9) is a specification of security assessment language to check security configuration of computers promoted by MITRE, a non-profit organization supported by the U.S. government , and used in the United States Government Configuration Baseline(*10) to mitigate vulnerability.
Currently, the OVAL data (vulnerability definition) used by MyJVN Version Checker and MyJVN Security Configuration Checker are prepared by IPA, but since the tools are OVAL-compatible, the OVAL data (vulnerability definition) created by anyone besides IPA can be used as well, making it easier to check vulnerability and security configuration of applications.
By supporting common standards like OVAL, IPA will keep promoting the use of domestic and overseas vulnerability countermeasure information and developing the environment that helps IT users implement objective and efficient security measures against vulnerability.
CWE(*11) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 4 illustrates the number of vulnerability countermeasure information registered during 1st quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 132 cases, CWE-399 (Resource Management Errors) with 66 cases, CWE-20 (Improper Input Validation) with 60 cases, CWE-189 (Numeric Errors) with 37 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 26 cases, CWE-200 (Information Leak) with 21, CWE-79 (Cross-Site Scripting) with 19.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course(*12), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*13)" is also effective to learn about vulnerability.
Figure 5 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers through other means, like the release on the security portal sites. Since 2008, the publication of the vulnerabilities that were labeled level III ("High", CVSS Base Score = 7.0-10.0) has been on the rise and it was 50 percent in 2010 and over 50 percent (56 percent) in 2011.
As of March 31, 2011, 47 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 6 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Publication of vulnerability countermeasure information is increasing year by year for application software, including desktop applications such as Adobe Reader, Adobe Flash Player, Safari, Internet Explorer, Firefox, middleware products such as web servers, application servers, databases, and application development languages such as PHP and Java. Since many new applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important.
Around the year 2008, vulnerabilities in SCADA systems used in critical infrastructures have been reported as well. 8 vulnerabilities were published in 2008, 9 in 2009 and 6 in 2010, bringing a total number of reported SCADA vulnerabilities to 23.
In 2010, the Stuxnet(*14), a virus that specially targets SCADA and exploits Windows Shell Vulnerability (MS10-046) has been a hot topic. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 7 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Since 2008, the ratio of OSS has demonstrated a decreasing trend and it is 20 percent in 2011 alone. In total, 32 percent of the vulnerabilities registered are of OSS and 68 percent are of non-OSS.
Figure 8 and 9 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 8 representing OSS vendors and Figure 9 representing non-OSS vendors.
As shown in Figure 8, the registered OSS vendors consist of 65 domestic vendors, 24 foreign vendors with Japan office, and 234 foreign vendors without office in Japan; a cumulative total of 323 OSS vendors. Similarly, as Figure 9 represents, the total of 249 registered non-OSS vendors consist of 121 domestic vendors, 67 foreign vendors with office in Japan, and 61 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
~DLL/EXE hijack vulnerability frequently looked up~
JVN iPedia has a hit count of 15,570,000 during April 2010 to March 2011, with the monthly average of 1.3 million.
Table 3 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 1st quarter of 2011 (January - March). The vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS, SSL and Apache HTTP Server, is still getting a lot of attention.
Table 4 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
| # | ID | Title | Access Counts |
CVSS Score |
Date Public |
|---|---|---|---|---|---|
| 1 | JVNDB-2008-001313 | JP1/Cm2/Network Node Manager Denial of Service Vulnerability | 256 | 5.0 | 2008/5/9 |
| 2 | JVNDB-2008-001150 | JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems | 254 | 3.6 | 2008/3/14 |
| 3 | JVNDB-2008-001895 | JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability | 243 | 6.5 | 2008/11/26 |
| 4 | JVNDB-2008-001647 | Jasmine WebLink Template Multiple Vulnerabilities | 202 | 7.5 | 2008/9/10 |
| 5 | JVNDB-2008-001911 | Groupmax Workflow - Development Kit for Active Server Pages Cross-Site Scripting Vulnerability | 168 | 5.0 | 2008/12/2 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2009 and before | Published in 2010 | Published in 2011 |
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) Targeted attack: attacks that focus on specific persons or organizations to steal sensitive information.
(*5) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
(*6) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*7) 10 Major Threats, 2011 version
http://www.ipa.go.jp/security/vuln/10threats2011.html (in Japanese)
(*8) MyJVN Version Checker
http://jvndb.jvn.jp/apis/myjvn/ (in Japanese)
(*9) OVAL (Open Vulnerability Assessment Language) Overview
http://www.ipa.go.jp/security/english/vuln/OVAL_en.html
(*10) USGCB (United States Government Configuration Baseline)
http://usgcb.nist.gov/
(*11) CWE (Common Weakness Enumeration) Overview
http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*12) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html
(*13) A hands-on vulnerability learning and experiencing tool "AppGoat"
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
(*14) A virus that targets the nuclear plant control system. For more information, refer to an IPA technical watch report on the New Types of Attacks
http://www.ipa.go.jp/about/technicalwatch/20101217.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
