HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:JVN iPedia Registration Status for 2011 3Q
Oct. 20, 2011
>> JAPANESE
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 11,000~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 3rd quarter of 2011 (July 1 to September 30, 2011), those gathered from domestic developers are 3 cases (126 cumulative cases from the launch of JVN iPedia), 124 cases are from JVN (1,365 cumulative cases), and 397 cases from NVD (9,882 cumulative cases), bringing a quarterly total to 524 cases (11,373 cumulative cases). The number of vulnerability information stored on JVN iPedia is now over 11,000 (See Table 1, Figure 1).
The Japanese version of JVN iPedia actively collects vulnerability information about control system software from outside sources like NVD. As of September 30, 2011, 68 cases were stored. Last year, Stuxnet(*4), a virus targeting industrial control systems, aroused big concern and vulnerabilities in the industrial control systems have been continuously reported. Considering their impact on the social infrastructure, we should pay close attention to vulnerabilities in the industrial control systems.
As for the English version of JVN iPedia, 2 cases were gathered from domestic developers (125 cumulative cases) and 29 from JVN (560 cumulative cases), making a quarterly total to 31 cases (685 cumulative cases).
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 3 cases | 126 cases |
| JVN | 124 cases | 1,365 cases | |
| NVD | 397 cases | 9,882 cases | |
| Total | 524 cases | 11,373 cases | |
| English Version | Domestic Product Developers | 2 cases | 125 cases |
| JVN | 29 cases | 560 cases | |
| Total | 31 cases | 685 cases |
~Lots of vulnerabilities in widely-used PC software applications reported. Check up on vulnerability information and update promptly~
The viruses that exploit vulnerability in software applications widely used both in business and private have been causing a serious problem. In particular, as highlighted in the targeted attack(*5) against a major heavy industries company, cyber attacks(*6) that target the specific business or person to breach the corporate system and stole classified and personal information have been causing serious damages. JVN iPedia rates each vulnerability according to the CVSS(*7) and publishes its severity level(*8). Figure 2 shows the severity of vulnerability in widely-used PC software applications. There are 565 vulnerability information related to Mozilla Firefox and 345 related to Microsoft Internet Explorer. Besides them, there are many other software applications with more than 100 reported vulnerabilities such as Adobe products. When focusing on the severity, 69 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 29 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 2 percent were level I ("Low", CVSS Base Score = 0.0-3.9). The most severe, dangerous vulnerabilities account for about 70 percent of the total.
Figure 3 shows the annual transitions in the number of vulnerability information about widely-used PC software applications. The number has been increasing every year. It was 151 in 2007 and it more than tripled in 2010 with 460.
It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
~Pay attention to vulnerabilities in Products supporting IPv6~
The pool of unallocated IPv4(*9) addresses has been exhausted and the move to the use of IPv6(*10) is mandatory. JVN iPedia already stores the information about 71 vulnerabilities in the products that support IPv6, The number of IPv6-related vulnerabilities is expected to increase in the days ahead.
Figure 4 shows the number and severity of IPv6-related vulnerabilities. 50 percent of them were labeled level III ("High", CVSS Base Score = 7.0-10.0), 34 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 10 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Table 2 shows the High level IPv6-related vulnerabilities stored in JVN iPedia since the year 2009. The vulnerabilities have been found in various products, such as operating systems like Windows, Unix and Linux and routers.
The users of IPv6-supported products should check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Use the TCP/IP Vulnerability Assessment Tool(*11), a tool that can systematically check the known IPv6 vulnerabilities available from IPA.
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2009 and before | Published in 2010 | Published in 2011 |
CWE(*12) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 5 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 115 cases, CWE-399 (Resource Management Errors) with 53 cases, CWE-20 (Improper Input Validation) with 46 cases, CWE-79 (Cross-Site Scripting) with 42 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 32 cases, CWE-189 (Numeric Errors) with 23 cases and CWE-200 (Information Leak) with 20 cases.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as the "Secure Programming Course"(*13), to make sure to implement necessary security measures from the planning and design phase of software development. A hands-on vulnerability learning and experiencing tool "AppGoat(*14)" is also effective to learn about vulnerability.
Figure 6 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or through other means, like the release on the security portal sites. Since 2008, the publication of the vulnerabilities that were labeled level III ("High", CVSS Base Score = 7.0-10.0) has been on the rise and it was over 50 percent in 2010.
As of September 30, 2011, 47 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 8 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 7 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication date. Publication of vulnerability information about applications has been increasing every year. It was 145 in 2003 and it was more than tenfold higher in 2010 with 1,629.
Since about 2008, the vulnerabilities in the industrial control systems (SCADA: Supervisory Control And Data Acquisition) used in critical infrastructures have been also reported. 8 in 2008, 10 in 2009, 4 in 2010 and 36 in 2011 - the total of 68 SCADA vulnerabilities are stored in JVN iPedia.
Since many new applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.
Figure 8 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Since 2008, the ratio of OSS has demonstrated a decreasing trend and it is 26 percent in 2011. In total, 32 percent of the vulnerabilities registered are of OSS and 68 percent are of non-OSS.
Figure 9 and 10 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 9 representing OSS vendors and Figure 10 representing non-OSS vendors.
As shown in Figure 9, the registered OSS vendors consist of 67 domestic vendors, 27 foreign vendors with Japan office, and 256 foreign vendors without office in Japan; a cumulative total of 350 OSS vendors. Similarly, as Figure 10 represents, the total of 295 registered non-OSS vendors consist of 124 domestic vendors, 84 foreign vendors with office in Japan, and 87 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
JVN iPedia has a hit count of 20,090,000 during October 2010 to September 2011, with the monthly average of 1.7 million.
Table 3 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 3rd quarter of 2011 (July - September). Among 20, 15 are the vulnerabilities released on JVN.
Table 4 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
| # | ID | Title | Access Counts |
CVSS Score |
Date Public |
|---|---|---|---|---|---|
| 1 | JVNDB-2011-001928 | JP1/Performance Management - Web Console Cross-Site Scripting Vulnerability | 383 | 4.3 | 2011/7/26 |
| 2 | JVNDB-2011-001927 | Arbitrary Code Execution Vulnerability in HiRDB Control Manager | 383 | 10.0 | 2011/7/26 |
| 3 | JVNDB-2010-002808 | Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability | 363 | 4.3 | 2011/5/26 |
| 4 | JVNDB-2010-002807 | Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability | 326 | 4.3 | 2011/5/26 |
| 5 | JVNDB-2011-001633 | Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory | 312 | 5.1 | 2011/5/26 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2009 and before | Published in 2010 | Published in 2011 |
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
http://jvn.jp/en/
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) A virus that targets the nuclear plant control system. See an IPA Technical Watch "Report on APT".
http://www.ipa.go.jp/about/technicalwatch/20101217.html (Japanese)
(*5) Attacks that target specific business or person to steal the corporate internal information.
(*6) See also the Security Alert for Targeted Attacks
http://www.ipa.go.jp/about/press/20110929_3.html (Japanese)
(*7) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (Japanese)
(*8) Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (Japanese)
(*9) Internet Protocol Version 4: An Internet protocol mainly used today. To communicate with the Internet Protocol, an IP address (identification number) must be allocated to each communication device. IPv4 has the address space of 2 to the 32nd power (about 4.3 billion addresses) but the address pool has been exhausted in February 2011.
(*10) Internet Protocol Version 6: An Internet protocol that is designed to succeed IPv4. IPv6 has the address space of 2 to the 128th power and makes us free from the worry of the address exhaustion.
(*11) TCP/IP Vulnerability Assessment Tool V5.0
http://www.ipa.go.jp/security/vuln/vuln_TCPIP_Check.html (Japanese)
(*12) CWE (Common Weakness Enumeration)
For more information, visit: http://www.ipa.go.jp/security/english/vuln/CWE_en.html
(*13) http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html
(*14) A hands-on vulnerability learning and experiencing tool "AppGoat"
http://www.ipa.go.jp/security/vuln/appgoat/index.html (Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
