1. 2013 1st Quarter Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access the information. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN^(*1), a vulnerability information portal site, and (3) NVD^(*2), a vulnerability information database run by NIST^(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1.1. Vulnerabilities Registered in 2013 1Q

~Vulnerability information stored in JVN iPedia is now over 39,000~

Among the vulnerability information registered to the Japanese version of JVN iPedia for the 1st quarter of 2013 (January 1 to March 31, 2013), those gathered from domestic developers are 3 cases (142 cumulative cases from the launch of JVN iPedia), 85 cases from JVN (2,497 cumulative cases), and 1,149 cases from NVD (36,697 cumulative cases), bringing a quarterly total to 1,237 (39,336 cumulative cases). The total number of vulnerability information registered is now over 39,000 (See Table 1-1, Figure 1-1).

As for the English version of JVN iPedia, 3 were gathered from domestic developers (142 cumulative cases) and 30 from JVN (737 cumulative cases), making a quarterly total to 33 cases (879 cumulative cases).

Table 1-1. Registered Vulnerabilities in 1st Quarter of 2013

	Information Source	Registered Cases	Cumulative Cases
Japanese Version	Domestic Product Developers	3 cases	142 cases
	JVN	85 cases	2,497 cases
	NVD	1,149 cases	36,697 cases
	Total	1,237 cases	39,336 cases
English Version	Domestic Product Developers	3 cases	142 cases
	JVN	30 cases	737 cases
	Total	33 cases	879 cases

To make JVN iPedia more useful for system administrators, IPA is expanding its coverage of vulnerability information registered to JVN iPedia. Currently, all vulnerabilities released on NVD in and after 2007 have been translated into Japanese and are available on JVN iPedia. System administrators can obtain a broader range of vulnerability information in Japanese and make use of them.

1.2. Type of Vulnerabilities Reregistered

Figure 1-2 illustrates the number of vulnerability countermeasure information registered during the 1st quarter of 2013, sorted by their vulnerability type using CWE.

The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 158 cases, CWE-264 (Permissions, Privileges and Access Controls) with 128 cases, CWE-79 (Cross-Site Scripting) with 114 cases, CWE-20 (Improper Input Validation) with 98 cases, CWE-399 (Resource Management Errors) with 94 cases and CWE-200 (Information Leak) with 74 cases.

Most of these are well-known types of vulnerabilities. Software developers need to make sure to implement necessary security measures from the planning and design phase of software development. IPA provides guidelines that address these vulnerabilities, such as "Secure Programming Course"^(*4), and also offers a hands-on vulnerability learning and experiencing tool "AppGoat^(*5)" to promote secure programming.

1.3. Severity of Vulnerabilities Registered

Figure 1-3 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public.

As of March 31, 2013, 45 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 49 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 6 percent were level I ("Low", CVSS Base Score = 0.0-3.9).

Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.

1.4. Type of Products Reported for Having Vulnerability

Figure 1-4 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. According to the data since 2007, application vulnerabilities account for around 90 percent of the total each year, and this trend is expected to continue in 2013.

Since about 2008, the vulnerabilities in industrial control systems (ICS) used in critical infrastructures have been registered as well. As of the 1st quarter, the total of 340 ICS vulnerabilities is registered in JVN iPedia.

Since many new software applications are developed each year with old and new vulnerabilities, improving application security is getting more and more important. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.

1.5. Open Source Software

Figure 1-5 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. The total of 15,937 OSS-related vulnerabilities has been registered, and overall, 41 percent of them are OSS and 59 percent are non-OSS.

1.6. Product Vendors

Figure 1-6-1 and 1-6-2 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered in JVN iPedia, with Figure 1-6-1 representing OSS vendors and Figure 1-6-2 representing non-OSS vendors.

As shown in Figure 1-6-1, the registered OSS vendors consist of 87 domestic vendors, 68 foreign vendors with Japan office, and 4,088 foreign vendors without office in Japan; a cumulative total of 4,243 OSS vendors. Similarly, as Figure 1-6-2 represents, the total of 4,521 registered non-OSS vendors consist of 180 domestic vendors, 209 foreign vendors with office in Japan, and 4,132 foreign vendors without office in Japan.

In the case of OSS vendors, a vast amount of vulnerabilities registered is in the products of foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or apply security patches, it is necessary to take into account to have contract agreements for support and/or purchase product support services provided by the vendor into account.

2. Hot Topic on the Registered Vulnerability in 2013 1Q

2.1. Vulnerabilities in Popular Software Applications

~Lots of vulnerabilities in widely-used PC software applications reported. Check and update promptly~

As represented by targeted email attacks, the mainstream attack technique used in cyberattacks that aim to steal confidential information and personal information in recent years is to try to infect the targets with viruses exploiting software vulnerability via files attached to email and any other possible means. In the 10 Major Security Threats 2013^(*6), which selected the security threats that had a significant social impact in 2012, the attacks that exploited client software applications have been ranked the top threat.

Especially, vulnerabilities in very popular software such as browsers, document software and execution environments have been aggressively exploited. Figure 2-1-1 shows the annual transitions in the number of vulnerabilities in 8 standard software products widely used on PC. During the 1st quarter of 2013, 292 vulnerabilities in these products have been registered, and compared to the total number of 531 in 2012, the number has reached and passed the half just in 3 months.

JVN iPedia rates each vulnerability according to the CVSS^(*7) and publishes its severity level^(*8). Figure 2-1-2 shows the severity of vulnerabilities in 8 standard software products widely used on PC. There are 909 vulnerability information related to Mozilla Firefox and 646 related to Microsoft Internet Explorer and 827 related to 3 Adobe products (Reader, Acrobat, Flash Player). When focusing on the severity, 65 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 32 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 3 percent were level I ("Low", CVSS Base Score = 0.0-3.9). The most severe level III vulnerabilities account for about two-thirds of the total.

The vulnerabilities with high severity have been reported. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches without delay.

IPA offers a free tool "MyJVN Version Checker^(*9)" that enables IT users to easily check if software applications installed in their PC are the latest version. IPA also offers its command line interface as well ^(*10) for system administrators to check the multiple PCs automatically.

2.2. Publication of Security Alerts

~Check security alerts every day!~

IPA selects security issues that would affect a number of users and publishes information about the issues and countermeasures as "security alerts^(*11)". Table 2-2 is the list of the security alerts issued in this quarter. During 3 months from January to March 2013, IPA published 17 security alerts: 8 "urgent-level" alerts, which are for the vulnerabilities that exploits against them have been confirmed, and 9 "warning-level" alerts, which are for those that exploits have not been confirmed but expected. Compared to 2012 4Q (October - December) during which only 4 security alerts were issued, it is more than 4 times.

Table 2-2. List of Security Alerts Published in 2013 1Q

Date	Level	Title
2013/1/9	Warning	Security Alert for Adobe Reader and Acrobat (APSB13-02)(CVE-2012-1530 etc.)
2013/1/9	Warning	Security Alert for Adobe Flash Player (APSB13-01)(CVE-2013-0630)
2013/1/15	Urgent	Security Alert for Oracle Java (CVE-2013-0422)
2013/1/15	Urgent	Security Alert for Internet Explorer (MS13-008)(CVE-2012-4792)
2013/2/4	Urgent	Security Alert for Oracle Java (CVE-2013-0437 etc.)
2013/2/8	Urgent	Security Alert for Adobe Flash Player (APSB13-04)(CVE-2013-0633 etc.)
2013/2/13	Urgent	Security Alert for Internet Explorer (MS13-010)(CVE-2013-0030)
2013/2/13	Warning	Security Alert for Adobe Flash Player (APSB13-05)(CVE-2013-1372 etc.)
2013/2/20	Warning	Security Alert for Oracle Java (CVE-2013-1487 etc.)
2013/2/21	Urgent	Security Alert for Adobe Reader and Acrobat (APSB13-07)(CVE-2013-0640etc.)
2013/2/21	Warning	Security Alert for NEC Corporation Universal RAID Utility
2013/2/26	Warning	Security Alert for Multiple JustSystems Products
2013/2/27	Urgent	Security Alert for Adobe Flash Player (APSB13-08)(CVE-2013-0643 etc.)
2013/3/5	Urgent	Security Alert for Oracle Java (CVE-2013-1493)
2013/3/7	Warning	Security Alert for Multiple Cisco Switches
2013/3/13	Warning	Security Alert for Adobe Flash Player (APSB13-09)(CVE-2013-0646 etc.)
2013/3/28	Warning	Security Alert for DNS Server BIND (CVE-2013-2266)
2013/3/28	Warning	Security Alert for Adobe Reader and Acrobat (APSB13-02)(CVE-2012-1530 etc.)

Among the sexurity alerts issued in 2013 1Q, 5 are about Adobe Flash Player and 4 are about Java programs by Oracle, such as JDK (Java Development Kit) and JRE (Java Runtime Environment), and these account for about the half.

The number of reported vulnerability in Adobe Flash Player, JDK and JRE has been increasing year by year. Figure 2-2 shows the annual transitions in the number of Adobe Flash Player, JDK and JRE vulnerabilities registered to JVN iPedia. In just 2013 1Q alone, 134 vulnerabilities have been registered for these 3 products. It is more than two-third of the total number of vulnerabilities in 2012, meaning it's sharply increasing.

As for the software applications like Adobe Flash Player, JDK and JRE, the users should not only know this increasing trend and keep updating them, but also think about other security measures including uninstalling them, if they are not neccessary.

2.3. Industrial Control System Vulnerabilities

~Vulnerabilities in industrial control system have been increasing year by year~

In recent years, vulnerabilities in software used in industrial control systems (ICS) like monitoring systems used in facilities, such as production plants, have been increasing drastically.

Figure 2-3-1 shows the number and severity of the ICS vulnerabilities registered to JVN iPedia. So far in 2013, among 46 ICS vulnerabilities registered, the severest level III vulnerabilities account for over the half, 24, following the increasing tendency seen in the past years.

Figure 2-3-2 and 2-3-3 show the severity of vulnerabilities among the ICS software and across all software, respectively. As for the ICS software, 63 percent of the vulnerabilities were labeled as the level III ("High", CVSS Base Score = 7.0-10.0), 36 percent were the level ll ("Medium", CVSS Base Score = 4.0-6.9) and 1 percent were the level I ("Low", CVSS Base Score = 0.0-3.9). This is high compared with all software.

Figure 2-3-4 illustrates the number of vulnerability countermeasure information sorted by their vulnerability type using CWE^(*12). CWE-119 (Buffer Errors) that may pose serious threats like arbitrary code execution is 102 and more than 3 times the numbers of CWE-22 (Path Traversal) and others.

The ICS users should check on vulnerability information regularly, and if vulnerability is found in a product they use, ask its vendor or retailer if there is a fix, like an updated version, and take necessary action promptly. If they cannot take action immediately for some reasons, evaluate the environment, such as networks in which the vulnerable industrial control system operates and risks it faces, and consider how to mitigate the risks and/or take alternative measures^(*13).

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia during the 1st quarter of 2013 (January - March).

Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2013 - Mar. 2013]

#	ID	Title	Access Counts	CVSS Score	Date Public
1	JVNDB-2013-001027	Vulnerability in Oracle Java 7	5,081	10.0	2013/1/11
2	JVNDB-2013-001912	Denial of Service (DoS) Vulnerability in Rehash Mechanism in Perl	2,411	7.5	2013/3/21
3	JVNDB-2012-001258	HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server	1,867	4.3	2012/2/1
4	JVNDB-2013-000012	NEC Universal RAID Utility fails to restrict access permissions	1,668	9.0	2013/2/21
5	JVNDB-2013-001019	Multiple Vulnerabilities in Ruby on Rails	1,568	7.5	2013/1/10
6	JVNDB-2013-000017	Multiple Cisco products vulnerable to denial-of-service (DoS)	1,464	7.8	2013/3/7
7	JVNDB-2013-001237	Eval Injection and SQL Injection Vulnerability in mt-upgrade.cgi in Movable Type	1,290	7.5	2013/1/24
8	JVNDB-2012-005828	Internet Explorer Arbitrary Code Execution Vulnerability	1,210	9.3	2013/1/4
9	JVNDB-2013-001460	Distinguishing and Plaintext-Recovering Attack Vulnerability in TLS Protocol and DTLS Protocol	1,071	2.6	2013/2/13
10	JVNDB-2011-002172	Apache HTTPD Server Denial of Service (DoS) Vulnerability	1,046	7.8	2011/9/1
11	JVNDB-2011-002110	Samba Web Administration Tool vulnerable to cross-site request forgery	1,006	4.0	2011/8/18
12	JVNDB-2013-000015	Multiple JustSystems products vulnerable to arbitrary code execution	971	6.8	2013/2/26
13	JVNDB-2013-000005	Weathernews Touch for Android stores location information in the system log file	915	2.6	2013/1/31
14	JVNDB-2011-002305	Chosen Plaintext Attack Vulnerability in CBC Mode in SSL/TLS	898	4.3	2011/10/4
15	JVNDB-2013-000008	Cybozu Garoon vulnerable to cross-site scripting	855	2.6	2013/2/8
16	JVNDB-2013-001056	Oracle Java SE Arbitrary Code Execution Vulnerability	846	10.0	2013/1/15
17	JVNDB-2013-000007	Cybozu Garoon vulnerable to SQL injection	803	6.5	2013/2/8
18	JVNDB-2012-000113	concrete5 vulnerable to cross-site scripting	802	2.6	2012/12/21
19	JVNDB-2009-002319	Vulnerability in SSL/TLS Protocol	792	6.4	2009/12/14
20	JVNDB-2012-000115	Loctouch for Android information management vulnerability	789	2.6	2012/12/21

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information from Domestic Developers [Jan. 2013 - Mar. 2013]

#	ID	Title	Access Counts	CVSS Score	Date Public
1	JVNDB-2012-005827	Cross-site Scripting Vulnerability in Collaboration - Bulletin board in Multiple Hitachi Products	768	4.3	2012/12/28
2	JVNDB-2013-001605	Multiple vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management	515	9.0	2013/2/20
3	JVNDB-2013-001321	User Authentication Vulnerability in Operational Management Function of Cosminexus	457	6.8	2013/1/31
4	JVNDB-2013-001470	Accela BizSearch Gateway Option for TeamWARE Spoofing Vulnerability	388	6.8	2013/2/13
5	JVNDB-2012-005486	Denial of Service (DoS) Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2	321	5.0	2012/11/22

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0～3.9 Severity Level = I (Low)

CVSS Base Score = 4.0～6.9 Severity Level = II (Medium)

CVSS Base Score = 7.0～10.0 Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2011 and before

Published in 2012

Published in 2013

Footnote

Reference

Contact