Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 3rd Quarter (Jul. - Sep.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2014 3rd Quarter (Jul. - Sep.)]

Nov. 27, 2014
IT Security Center

1. 2014 3rd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2014 3Q

~ Total of 48,427 Vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2014 (July 1 to September 30, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now 48,427 (See Table 1-1, Figure 1-1).

As for the English version, the total of 1,101 vulnerabilities is available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2014
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 0 cases 158 cases
JVN 349 cases 3,629 cases
NVD 1,218 cases 44,640 cases
Total 1,567 cases 48,427 cases
English Version Domestic Product Developers 0 cases 158 cases
JVN 48 cases 943 cases
Total 48 cases 1,101 cases

1-2. Hot Topic #1: Many Android Applications Reported for Failure to Properly Validate SSL Certificates

~ Improper SSL certificate validation vulnerability accounts for 84% of Android vulnerabilities ~

Figure 1-2-1 shows the number of Android OS and application vulnerabilities registered to JVN iPedia in a last couple of quarters. In this quarter, 144 vulnerabilities were registered and 121 of them were about improper SSL certificate validation (CWE-310(*4) Cryptographic Issues). This is because CERT/CC(*5) carried out a study that checked quite a number of Android applications to see if they would properly validate SSL certificates(*6), and found that they do not. That has resulted in sharp increase in number of Android applications registered. Vulnerability information published in the U.S., like the aforementioned vulnerability(*7), is usually translated into Japanese and published for IT users’ convenience. Also, because the vulnerability is related to 13 known vulnerabilities published on JVN in the past, we have cross-referenced them.

If this issue is exploited, an attacker could eavesdrop or alter the communication even if it is encrypted. As other Android applications are suspected to have the same vulnerability, IPA issued a security alert(*8) for Android application developers on September 19, 2014.

Application developers are required to learn how to write secure applications and if vulnerability is found, they should fix it promptly and provide a patch/update.

IPA offers a free vulnerability learning/checking tool called “AnCoLe(*9)” to Android application developers. By using AnCoLe, one can check if the source code is vulnerable to the improper SSL certificate validation vulnerability (improper implementation of SSL communication).

1-3. Hot Topic #2: CVE-ID Syntax Change - New Arbitrary-Length Format Will Be Put In Practice Soon

~ MyJVN API users need to ensure their systems and tools are also ready for arbitrary-length CVE-IDs ~

CVE-ID(*10) is a unique identifier maintained by MITRE(*11) to identify reported vulnerabilities. With the current syntax, CVE + YYYY + NNNN (e.g. CVE-2014-1234), the number part (NNNN) is fixed to four digits and supports a maximum of 9,999 unique CVE-IDs per year. To support more than 10,000 vulnerabilities in a single year, the new syntax will be put in use. With the new syntax, CVE + YYYY + arbitrary digits (e.g. CVE-2014-12345), the number part (arbitrary digits) begins at four digits and expands with arbitrary digits only when the next digit is needed in a single year.

At least one CVE-ID is going to be issued using the new syntax before the end of 2014 and not later than January 13, 2015, according to the MITRE announcement on September 17, 2014. Once issued, IPA’s JVN iPedia and MyJVN(*12) will be providing vulnerability information with the new-syntax-based CVE-IDs as well. MyJVN API users who get JVN iPedia information to use in their systems, tools and websites, must make sure that their systems, tools and websites also continue to work properly when they process the new-syntax-based CVE-IDs.For more details about CVE-ID syntax change, please check out the CVE website.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 3rd quarter of 2014, sorted by their vulnerability type using CWE.

The type of the vulnerability that has been reported most during this quarter is CWE-79 (Cross-Site Scripting) with 271 cases, followed by CWE-310 (Cryptographic Issues) with 147 cases and CWE-264 (Permissions, Privileges and Access Controls) with 145 cases. The most reported vulnerability type, CWE-264 (Permissions, Privileges and Access Controls), could allow an attacker to put bogus web pages on a legitimate website.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “IPA provides the tools and guidelines, such as “Secure Programming Courses(*13) to promote secure programming and “AppGoat(*14)” to help learn and understand vulnerability through practice and exercise(*15).

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of September 2014, 42 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 51 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible when they become available.

2-3. Type of Products Reported for Having Vulnerability

Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.

Since 2008, the vulnerabilities in Industrial Control Systems (ICS) used in the fields such as critical infrastructure have started to be added. During this quarter, 50 ICS vulnerabilities were registered, making the total 574.

2-4. Products Reported

Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 3rd quarter of 2014. As seen below, many browsers ranked in the top 10: Internet Explorer (1), Google Chrome (5) Safari (7) and Mozilla Firefox (8). Quite a number of software products by Hitachi Ltd. were also in top 20.

Besides vulnerability information on browsers and applications that are updated often, JVN iPedia stores the information on a variety of software products. Users should be diligent about those often-updated software products and make sure not to miss vulnerability information and patches.

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered
#CategoryProduct Name (Vendor)# of Vulnerability Registered
1BrowserInternet Explorer (Microsoft)108
2OSiOS (Apple)74
3Media PlayerApple TV (Apple)51
4OSApple Mac OS X (Apple)48
5BrowserGoogle Chrome (Google)41
6OSLinux Kernel (
7BrowserSafari (Apple)27
8BrowserMozilla Firefox (Mozilla Foundation)23
8Development EnvironmentAdobe Air (Adobe Systems)23
8Development EnvironmentAdobe Air SDK (Adobe Systems)23
8Media PlayerAdobe Flash Player (Adobe Systems)23
12MailerMozilla Thunderbird (Mozilla Foundation)21
13Development EnvironmentJDK (Oracle)20
13Development EnvironmentJRE (Oracle)20
15Network SoftwareWireshark (Wireshark)17
15Integrated Development/Operational EnvironmentCosminexus Application Server Standard (Hitachi)17
15Integrated Development/Operational EnvironmentCosminexus Client (Hitachi)17
15Integrated Development/Operational EnvironmentCosminexus Studio (Hitachi)17
15Integrated Development/Operational EnvironmentCosminexus Primary Server (Hitachi)17
15Integrated Development/Operational EnvironmentCosminexus Developer (Hitachi)17

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 3rd quarter of 2014 (July – September). The bash vulnerabilities ranked 2nd and 4th (aka Shellshock) could affect a variety of services and devices, such as web applications, Linux-based embedded systems, wireless home routers and network attached storage devices, if exploited. In the U.S., attacks exploiting them were observed. Because the effect of such attacks could be broad, IPA has issued an emergency security alert for Shellshock(*16).

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2014 – Sep. 2014]
1JVNDB-2014-000048OpenSSL improper handling of Change Cipher Spec message4.02014/6/6
2JVNDB-2014-004410GNU bash arbitrary code execution vulnerability10.02014/9/29
3JVNDB-2014-000045Apache Struts vulnerable to ClassLoader manipulation7.52014/4/25
4JVNDB-2014-004399GNU bash vulnerability allows an attacker to write to file10.02014/9/26
5JVNDB-2014-003474Apache HTTP Server mod_status module vulnerable to denial-of-service (DoS)6.82014/7/22
6JVNDB-2014-000087Multiple I-O DATA IP Cameras vulnerable to authentication bypass6.42014/7/29
7JVNDB-2014-000017Apache Commons FileUpload vulnerable to denial-of-service (DoS)5.02014/2/10
8JVNDB-2014-002767The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL vulnerable to denial-of-service (DoS)4.32014/6/9
9JVNDB-2014-003719OpenSSL Client vulnerable to null pointer dereference5.02014/8/12
10JVNDB-2014-003817Buffer overflow vulnerabilities in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL OpenSSL7.52014/8/15
11JVNDB-2014-002766The dtls1_get_message_fragment function in d1_both.c in OpenSSL vulnerable to denial-of-service (DoS)4.32014/6/9
12JVNDB-2014-003812The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL vulnerable to information disclosure4.32014/8/15
13JVNDB-2014-000071Becky! Internet Mail vulnerable to buffer overflow5.12014/7/8
14JVNDB-2014-002765The dtls1_reassemble_fragment function in d1_both.c in OpenSSL vulnerable to arbitrary code execution6.82014/6/9
15JVNDB-2014-000102Kindle App for Android fails to verify SSL server certificates4.02014/8/29
16JVNDB-2014-003475Apache HTTP Server mod_cgid module vulnerable to denial-of-service (DoS)5.02014/7/22
17JVNDB-2014-000072Seasar S2Struts vulnerable to ClassLoader manipulation7.52014/7/15
18JVNDB-2014-003473Denial- of-service (DoS) vulnerability in mod_deflate.c in mod_deflate module in Apache HTTP Server4.32014/7/22
19JVNDB-2014-003472Apache HTTP Server mod_proxy module vulnerable to denial-of-service (DoS)4.32014/7/22
20JVNDB-2014-001920OpenSSL heartbeat extension information disclosure vulnerability5.02014/4/8

Table 3-2 lists the top 5 most accessed vulnerability countermeasure information among those reported by domestic product developers. The severity of the vulnerabilities ranked 1st and 2nd is level lll (High), meaning they could cause serious damage, such as information theft, data modification and denial of service.

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers [Jul. 2014 - Sep. 2014]
1JVNDB-2014-002800Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option9.02014/6/11
2JVNDB-2014-002802Xml eXternal Entity Vulnerability in XML link function of Hitachi COBOL20029.42014/6/11
3JVNDB-2007-001022Apache UTF-7 Encoding Cross-Site Scripting Vulnerability4.32007/12/25
4JVNDB-2011-001633Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory5.12011/5/26
5JVNDB-2008-001313JP1/Cm2/Network Node Manager Denial of Service Vulnerability5.02008/5/9

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score
= 0.0~3.9
Severity Level = I (Low)
CVSS Base Score
= 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score
= 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2012 and before Published in 2013 Published in 2014


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database. A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) Common Weakness Enumeration Japanese)

(*5) CERT/CC (CERT Coordination Center): An organization that handles and works on Internet security issues

(*6) Android application SSL spreadsheet (617 entries as of September 18, 2014)

(*7) JVNVU#90369988: Multiple android applications fail to properly validate SSL certificates
It is based on the advisory issued by CERT/CC Japanese)

(*8) Press Release: [Security Alert] To android application developers: implement SSL server certificate validation if communicating data over HTTPS Japanese)

(*9) Android Application Vulnerability Learning/Checking Tool “AnCoLe” Japanese)

(*10) Common Vulnerabilities and Exposures Japanese)

(*11) MITRE Corporation: A non-profit national technology resource that provides information technology support and research and development, among other things, to the U.S. government.

(*12) Vulnerability Countermeasure Information Sharing Framework “MyJVN”

(*13) Japanese)

(*14) Press Release: Web application version of hands-on vulnerability learning and experiencing tool “AppGoat” features enhanced Japanese)

(*15) Hands-on vulnerability learning and experiencing tool “AppGoat” Japanese)

(*16) Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)