Mar. 9, 2015
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~ Total of 51,499 Vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2014 (October 1 to December 31, 2014) is shown in the table below. As of the end of December 2014, the total number of vulnerabilities stored in JVN iPedia is 51,499 (See Table 1-1, Figure 1-1). Compared to the last quarter, the number of JVN-sourced vulnerabilities increased dramatically to 1,408. This is because more than 1,200 Android application vulnerabilities have been published and added to the database following the disclosure of the Android SSL improper validation vulnerability on September 5(*4).
As for the English version, the total of 1,138 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||3 cases||161 cases|
|JVN||1,408 cases||5,037 cases|
|NVD||1,661 cases||46,301 cases|
|Total||3,072 cases||51,499 cases|
|English Version||Domestic Product Developers||3 cases||161 cases|
|JVN||34 cases||977 cases|
|Total||37 cases||1,138 cases|
~ Many vulnerabilities in software widely used in commercial products, such as OpenSSL, Apache Struts and Bash, have been disclosed ~
In 2014, a lot of vulnerabilities that could affect many widely-used software products were disclosed. Among those especially picked up by the news media were 3 software often used, like to build websites: OpenSSL, Apache Struts and Bash.
According to the media, the vulnerability in OpenSSL(*5), which is used to encrypt the communication, was exploited in the attacks also in Japan and caused a data breach(*6). In the case of Apache Struts, which is used to build websites, the vulnerability(*7) was not properly resolved in the first patch and the vendor ended up with releasing multiple patches for the same vulnerability, forcing the system administrators to look for the information and implement the fixes time and again. As for the Bash vulnerability, it has affected many products because it is a standard software for UNIX-based OS. Attacks exploiting the Bash vulnerability were also observed(*8).
Table 1-2-1 shows the top 20 most-accessed vulnerabilities in JVN iPedia in 2014. Their hit count suggests a high public interest.
As shown in the “Number of Updates” column in Table 1-2-1, some vulnerabilities in OpenSSL, Apache Struts and Bash have been updated more than ten times. This is because these 3 software are widely used in numerous products including commercial ones and as the affected products are added or fixes become available, the information on JVN iPedia is accordingly updated. After the initial disclosure of a vulnerability, the affected products are often updated as days pass. Therefore, it is very important for system administrators to check daily whether vulnerability information about the products they use are disclosed newly and/or updated.
Figure 1-2-2 shows the breakdown of the top 20 vulnerabilities listed in Table 1-2-1 by product.
OpenSSL, Apache and Bash related vulnerabilities are 16 out of 20, which account for 80 percent of all products that appear in Figure 1-2-2. We can see IT users, including system administrators, are paying close attention to these software.
The system administrators of the website operators should check on vulnerability information, including updates, as needed. When collecting information, consider using tools such as the Filtered Vulnerability Countermeasure Information Tool (aka “mjcheck3”)(*9) to facilitate efficient information gathering and vulnerability fixing.
~ A steel mill in Germany physically damaged by cyber attack ~
As reported by a German government agency in December 2014 that a steel mill in Germany suffered a severe physical damage from cyber attack(*10), threats for industrial control systems (ICS) are becoming real. The necessity of implementing cybersecurity measures to protect ICS from threats increases every day. Since 2013, as part of the effort to improve cyber security of ICS, IPA has been participating in a pilot program to establish and facilitate the Embedded Device Security Assurance (EDSA) Certification scheme(*11) that evaluates if an industrial control device satisfies the certain security requirements in Japan. Figure 1-3-1 shows the number severity of ICS vulnerabilities registered to JVN iPedia per year. The total of 597 vulnerabilities is registered so far, and since 2012, over 100 ICS vulnerabilities has been added every year.
Figure 1-3-2 is a pie chart of the severity of ICS vulnerabilities. The highest severity “Level III” (High, CVSS Base Score = 7.0-10.00) accounts for 57 percent, which means more than half ICS vulnerabilities could cause severe damage, such as serious service disruption and information leak.
The ICS administrators should check on vulnerability information regularly, and if a vulnerability is found in the products they use, ask their vendor or retailer for a solution, like an updated version or fix, and take necessary action as soon as possible. If they cannot take action immediately for some reasons, evaluate the system environment, such as network environment in which the vulnerable ICS operates and risks it faces, and consider what can be done to reduce the risks and mitigate the threats(*12).
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 4th quarter of 2014, sorted by their vulnerability type using CWE.
The type of the vulnerability reported most during this quarter is CWE-310 (Cryptographic Issues) with 1,323 cases, followed by CWE-79 (Cross-Site Scripting) with 281 cases, and CWE-264 (Permissions, Privileges and Access Controls) with 159 cases. The most reported vulnerability type, CWE-310 (Cryptographic Issues), could allow an attacker to forge SSL certificates and enable a fake website to pretend as the authentic website. The reason so many CWE-310 vulnerabilities were registered this quarter is that more than 1,200 Android application vulnerabilities have been published and registered following the disclosure of the Android SSL improper validation vulnerability(*13).
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Courses”(*14) to promote secure programming, “AppGoat”(*15) to help learn and understand vulnerability through practice and exercise(*16), and “AnCoLe”(*17) for Android application developers to learn about and scan vulnerabilities.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of December 2014, 40.7 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.3 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85.3 percent of the total.
Since 2008, the vulnerabilities in Industrial Control Systems (ICS) used in the fields such as critical infrastructure have started to be added. During this quarter, 23 ICS vulnerabilities were registered, making the total 597”(*18).
Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 4th quarter (October to December) of 2014. As seen below, browsers ranked high: Internet Explorer (1), Google Chrome (2) and Mozilla Firefox ranked (12). Also, quite a number of software products by Hitachi Ltd. have been fixed.
Besides browsers and applications that are updated often, JVN iPedia stores vulnerability information on a variety of software products. IT users could check vulnerability information about the products they use and take action efficiently.
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Internet Explorer (Microsoft)||74|
|2||Browser||Google Chrome (Google)||56|
|4||OS||Linux Kernel (Kernel.org)||35|
|5||Middleware||Oracle Database (Oracle)||30|
|6||Emulator||QEMU (Fabrice Bellard)||29|
|7||Media Player||Adobe Flash Player (Adobe Systems)||28|
|8||OS||Apple Mac OS X (Apple)||26|
|9||CMS||Plone (Plone Foundation)||25|
|9||Development Environment||JDK (Oracle)||25|
|9||Development Environment||JRE (Oracle)||25|
|12||Browser||Mozilla Firefox (Mozilla Foundation)||23|
|13||Development Environment||Adobe AIR SDK (Adobe Systems)||22|
|13||Development Environment||Adobe AIR (Adobe Systems)||22|
|15||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||20|
|15||PDF Viewer||Adobe Reader (Adobe Systems)||20|
|uCosminexus Developer Standard (Hitachi)||19|
|uCosminexus Service Platform (Hitachi)||19|
|uCosminexus Primary Server (Hitachi)||19|
|uCosminexus Application Server (Hitachi)||19|
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 4th quarter of 2014 (October – December). The OpenSSL vulnerabilities ranked 1st, 3rd, 9th, 13th, 19th and 20rh, occupying 6 out of 20. The GNU bash vulnerabilities ranked 2nd, 5th, 6th, 7th, 8th, 10th, also occupying 6 out of 20. Since both software are widely used in the commercial products and likely used in the various organizations, many system administrators could have checked out those vulnerabilities.
|1||JVNDB-2014-004670||SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections||4.3||2014/10/16|
|2||JVNDB-2014-004410||GNU bash arbitrary code execution vulnerability||10.0||2014/9/29|
|3||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|4||JVNDB-2014-000126||QNAP QTS vulnerable to OS command injection||10.0||2014/10/28|
|5||JVNDB-2014-004476||GNU Bash Remote Code Execution Vulnerability||10.0||2014/10/1|
|6||JVNDB-2014-004399||Bash Code Injection Vulnerability via Specially Crafted Environment Variables||10.0||2014/9/26|
|7||JVNDB-2014-004432||Redirection implementation in parse.y in GNU Bash vulnerable to denial-of-service (DoS)||10.0||2014/9/30|
|8||JVNDB-2014-004433||read_token_word function in parse.y in GNU Bash vulnerable to denial-of-service (DoS)||10.0||2014/9/30|
|9||JVNDB-2014-004940||tls_decrypt_ticket function in t1_lib.c in OpenSSL vulnerable to denial-of-service (DoS)||7.1||2014/10/23|
|10||JVNDB-2014-004431||GNU Bash Remote Code Execution Vulnerability||10.0||2014/9/30|
|11||JVNDB-2014-005708||do_double_fault function in arch/x86/kernel/traps.c in Linux Kernel vulnerable to denial-of-service (DoS)||4.9||2014/12/2|
|12||JVNDB-2014-000130||Multiple Cybozu products vulnerable to buffer overflow vulnerable to denial-of-service (DoS)||9.0||2014/11/11|
|13||JVNDB-2014-004939||d1_srtp.c in DTLS SRTP Extension in OpenSSL||7.1||2014/10/23|
|14||JVNDB-2014-005869||SSL profiles component in multiple F5 products allows an attacker to obtain cleartext data||4.3||2014/12/11|
|15||JVNDB-2011-002305||SSL and TLS allow chosen plaintext attack in CBC modes||4.3||2011/10/4|
|16||JVNDB-2014-000131||Ichitaro series vulnerable to arbitrary code execution||9.3||2014/11/13|
|17||JVNDB-2014-000148||Kaku-San-Sei Million Arthur for Android information management vulnerability||2.6||2014/12/4|
|18||JVNDB-2014-000120||Huawei E5332 vulnerable to denial-of-service (DoS)||5.5||2014/10/10|
|19||JVNDB-2014-001920||OpenSSL heartbeat extension information disclosure vulnerability||5.0||2014/4/8|
|20||JVNDB-2014-004941||OpenSSL access control bypass vulnerability||4.3||2014/10/23|
Table 3-2 lists the top 5 most accessed vulnerability countermeasure information among those reported by domestic product developers. The top 3 vulnerabilities have been disclosed this quarter, and Hitachi JP1 has been the center of the attention. The severity of the vulnerabilities ranked 2nd, 3rd and 5th is level lll (High), meaning they could cause serious damage if exploited.
|1||JVNDB-2014-004833||Vulnerability in JP1/NETM/DM and Job Management Partner 1/Software Distribution data reproduction functionality||5.0||2014/10/20|
|2||JVNDB-2014-005987||Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i||10.0||2014/12/16|
|3||JVNDB-2014-005986||Multiple buffer overflows in Hitachi JP1/Cm2/Network Node Manager i||10.0||2014/12/16|
|4||JVNDB-2007-001022||Apache UTF-7 Encoding Cross-Site Scripting Vulnerability||4.3||2007/12/25|
|5||JVNDB-2014-002800||Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option||9.0||2014/6/11|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2012 and before||Published in 2013||Published in 2014|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Disclosed as JVNVU#90369988
(*5) Update: OpenSSL Vulnerability (CVE-2014-0160)
(*6) Unauthorized Access to Customer Information through Members-Only Web Services
(*7) Update: Apache Struts2 Vulnerabilities (CVE-2014-0094)(CVE-2014-0112)(CVE-2014-0113)
It is based on the advisory issued by CERT/CC
(*8) Suspicious Accesses Targeting Bash Vulnerability (Third Report)
(*9) MyJVN Filtered Vulnerability Countermeasure Information Tool
(*10) Cyberattack Fells German Iron Plant – Revealed by Office of Information Security (BSI) annual report
(*11) Press Release: Embedded Device Security Assurance (EDSA) – Establishment of a domestic certification scheme and publication of the translated standards
(*12) Press Release: Security Alert on Control System Vulnerabilities
(*13) Disclosed as JVNVU#90369988
(*14) https://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html(in Japanese)
(*15) Press Release: Web application version of hands-on vulnerability learning and experiencing tool “AppGoat” features enhanced
(*16) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*17) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)