HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2011 2Q
Jul. 21, 2011
>> JAPANESE
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 10,800~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 2nd quarter of 2011 (April 1 to June 30, 2011), those gathered from domestic developers are 5 cases (123 cumulative cases from the launch of JVN iPedia), 125 cases are from JVN (1,241 cumulative cases), and 508 cases from NVD (9,485 cumulative cases), bringing a quarterly total to 638 cases (10,849 cumulative cases). The number of vulnerability information stored on JVN iPedia is now over 10,800 (See Table 1, Figure 1).
The Japanese version of JVN iPedia actively collects vulnerability information about control system software from outside sources like NVD. In the first half of 2011 (January 1 to June 30, 2011), 22 cases were collected. Last year, Stuxnet(*4), a virus targeting a control system, aroused big concern. Even after that, vulnerabilities in the control systems have been frequently reported. Considering the impact on the social infrastructure, vulnerabilities in the control systems should be watched out carefully.
As for the English version of JVN iPedia, 6 case was gathered from domestic developers (123 cumulative cases) and 26 from JVN (531 cumulative cases), making a quarterly total to 32 cases (654 cumulative cases).
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 5 cases | 123 cases |
| JVN | 125 cases | 1,241 cases | |
| NVD | 508 cases | 9,485 cases | |
| Total | 638 cases | 10,849 cases | |
| English Version | Domestic Product Developers | 6 cases | 123 cases |
| JVN | 26 cases | 531 cases | |
| Total | 32 cases | 654 cases |
~Lots of vulnerabilities in web service software. Check up the vulnerability information and update promptly~
Attacks exploiting vulnerability in the systems that offer web services via the Internet have been done frequently in Japan and overseas. An information leakage of more than 100 million people's personal information a few months ago has attracted a great social attention.
A common web service system has a design of three-layered applications (web server, web application server and database server). JVN iPedia stores a lot of vulnerability information on software for hose server applications.
Figure 2 shows the annual transitions in the number of vulnerability information about the web service's three-layered applications registered to JVN iPedia, based on their respective publication date. In 2006, the number of vulnerabilities in database server and web application server software almost doubled the previous year and stays around 200 since then.
Figure 3, 4 and 5 show the number and severity of vulnerabilities in software for the web service's three-layered applications. JVN iPedia rates each vulnerability according to the CVSS(*5) and publishes its severity level(*6).
Figure 3 shows the number and severity of vulnerability in web server software. Among the total of 305 reported cases, Apache HTTP server accounts for 35 percent (106 cases). When focusing on the severity, 32 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 67 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 1 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Figure 4 shows the number and severity of vulnerability in web application server software. Among the total of 511 reported cases, Oracle Application Server and IBM WebSphere Application Server account for 74 percent (376 cases). When focusing on the severity, 40 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 52 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Figure 5 shows the number and severity of vulnerability in database server software. Among the total of 561 reported cases, Oracle Database accounts for 59 percent (331 cases). When focusing on the severity, 40 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 50 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 10 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
In recent days, attacks exploiting vulnerabilities in the web service system have been causing a number of information leakage incidents. Server administrators should check on the vulnerability information on server software and update without delay.
~Reports on vulnerabilities in Adobe Flash Player surged~
JVN iPedia stores the total of 182 cases of Adobe Flash Player's vulnerability information. 95 of them are highly severe vulnerabilities and could install malicious programs, alter or delete data by just accessing a compromised web page. Figure 6 shows the number and severity of vulnerabilities in Adobe Flash Player. The number is on the rise year after year. When focusing on the severity, 73 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 12 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 15 percent were level I ("Low", CVSS Base Score = 0.0-3.9). As just shown in numbers, a lot of highly serious vulnerabilities have been reported.
Figure 7 shows the quarterly transition in the number of security updates for Adobe Flash Player. As the number of highly severe vulnerabilities increases, so does the number of security updates.
Until the 1st quarter of the year 2011 (January 1 to March 31, 2011), the number of updates released per quarter was around 2, but it doubled this quarter to 4.
This circumstance tells that IT users must check on the vulnerability information frequently and update software promptly. IPA offers a free tool "MyJVN Version Checker" that enables IT users to easily check if software applications installed in their PC are the latest version. Use the tools like MyJVN Version Checker proactively and keep the software up-to-date and vulnerability-free.
CWE(*7) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 8 illustrates the number of vulnerability countermeasure information registered during the 2nd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 106 cases, CWE-399 (Resource Management Errors) with 72 cases, CWE-20 (Improper Input Validation) with 57 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 34 cases, CWE-189 (Numeric Errors) with 32 cases, CWE-79 (Cross-Site Scripting) with 27 cases and CWE-200 (Information Leak) with 16 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course"(*8), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*9)" is also effective to learn about vulnerability.
Figure 9 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers and other means, like the release on the security portal sites. Since 2008, the publication of the vulnerabilities that were labeled level III ("High", CVSS Base Score = 7.0-10.0) has been on the rise and it was 50 percent in 2010 and is more than 52 percent in 2011.
As of June 30, 2011, 47 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the products in use without delay.
Figure 10 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date.
Publication of vulnerability information is increasing year by year for application software, including desktop applications such as Adobe Reader, Adobe Flash Player, Safari, Internet Explorer, Firefox, middleware such as web servers, application servers, databases, and application development languages such as PHP and Java. Since many new applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the products in use without delay.
Figure 11 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Since 2008, the ratio of OSS has demonstrated a decreasing trend and it is 20 percent in 2011 alone. In total, 32 percent of the vulnerabilities registered are of OSS and 68 percent are of non-OSS.
Figure 12 and 13 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 12 representing OSS vendors and Figure 13 representing non-OSS vendors.
As shown in Figure 12, the registered OSS vendors consist of 66 domestic vendors, 24 foreign vendors with Japan office, and 245 foreign vendors without office in Japan; a cumulative total of 335 OSS vendors. Similarly, as Figure 13 represents, the total of 266 registered non-OSS vendors consist of 123 domestic vendors, 78 foreign vendors with office in Japan, and 65 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
JVN iPedia has a hit count of 16,430,000 during July 2010 to June 2011, with the monthly average of 1.4 million.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 2nd quarter of 2011 (April � June). Among 20, 14 are the vulnerabilities released on JVN.
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
| # | ID | Title | Access Counts |
CVSS Score |
Date Public |
|---|---|---|---|---|---|
| 1 | JVNDB-2011-001145 | JP1/NETM/DM Denial of Service (DoS) Vulnerability | 305 | 5.0 | 2011/3/1 |
| 2 | JVNDB-2008-001313 | JP1/Cm2/Network Node Manager Denial of Service Vulnerability | 278 | 5.0 | 2008/5/9 |
| 3 | JVNDB-2008-001150 | JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems | 278 | 3.6 | 2008/3/14 |
| 4 | JVNDB-2008-001895 | JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability | 263 | 6.5 | 2008/11/26 |
| 5 | JVNDB-2008-001647 | Jasmine WebLink Template Multiple Vulnerabilities | 252 | 7.5 | 2008/9/10 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2009 and before | Published in 2010 | Published in 2011 |
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) A virus that targets the nuclear plant control system.
(*5) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
(*6) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*7) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*8) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html
(*9) A hands-on vulnerability learning and experiencing tool "AppGoat"
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
