Apr. 15, 2015
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~ Total of 53,235 vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2015 (January 1 to March 31, 2015) is shown in the table below. As of the end of March 2015, the total number of vulnerabilities stored in JVN iPedia is 53,235 (See Table 1-1, Figure 1-1).
As for the English version, the total of 1,184 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||5 cases||166 cases|
|JVN||181 cases||5,218 cases|
|NVD||1,550 cases||47,851 cases|
|Total||1,736 cases||53,235 cases|
|English Version||Domestic Product Developers||5 cases||166 cases|
|JVN||41 cases||1,018 cases|
|Total||46 cases||1,184 cases|
~ 63.3 percent of the Windows Server 2003 vulnerabilities disclosed in the past year were the most critical “Level III (High)” ones ~
*Note: At the time of the publication of this report (the English version of the quarterly report 2015/1Q), the end of life date for Java SE 7 has already reached.
The support for Java SE 7 (Java Platform, Standard Edition 7) is going to be terminated on April 30, 2015, and that for Windows Sever 2003 on July 14, 2015. With the end of support, no more patches will be provided even if new vulnerabilities are discovered and the risk of malware infection through attacks that exploit unfixed vulnerabilities increases. The users should migrate to newer, supported versions as soon as possible. Please see the IPA security alerts for the risk of continuous use of Java SE 7 and Windows Server 2003 after the end of support(*4)(*5).
In the last year, from April 2014 to March 2015, a lot of vulnerabilities were found in Java SE 7 and Windows Server 2003. In below, we will give a brief summary of each software.
(1) Java SE 7
Oracle Corporation is going to end the support for Java SE 7 on April 30, 2015. Oracle usually releases security patches for their software quarterly, but after the end of support, official, free patches become no longer available for Java SE 7(*6).
During the time from April 2014 to March 2015, 88 vulnerabilities were found in JRE 7 (part of Java SE 7) and registered to JVN iPedia (Figure 1-2-1). Among them, 43.2 percent were the most critical “Level lll (High)” vulnerabilities. Considering the ratio of the Level lll (High) vulnerabilities to all the vulnerabilities registered to JVN iPedia during the same time period is 24.8 percent, you can see a high percentage of JRE 7 vulnerabilities are critical ones (Figure 1-2-2, Figure 1-2-3).
(2) Windows Server 2003
Microsoft Corporation is going to end the support for Windows Server 2003 on July 14, 2015. After the end of support, security patches for Windows Server 2003 will be no longer available.
During the time from April 2014 to March 2015, 49 vulnerabilities were found in Windows Server 2003 and registered to JVN iPedia (Figure 1-2-4). Among them, 63.3 percent were the most critical “Level lll (High)” vulnerabilities. Compared to the ratio of the Level lll (High) vulnerabilities to all the vulnerabilities registered to JVN iPedia during the same time period, it is more than two and half times (Figure 1-2-5, Figure 1-2-6).
When vulnerability is found in software, its vendor provides patches and system administrators can fix the vulnerability if it is supported. However, when vulnerability is found in the end of support software, system administrators cannot fix the vulnerability because its vendor no longer provides patches. Therefore, keeping using the end of support software could lead to various undesirable consequences, such as malware infection and system hijack, through attacks that exploit unfixed vulnerabilities.
System administrators should see if the software they are using is indeed supported and if there is end of support or soon-to-be end of support software, develop a migration plan and migrate to newer, supported versions, as needed.
Figure 2-1 illustrates the number of vulnerability countermeasure information newly added to JVN iPedia during the 1st quarter of 2015, sorted by the CWE vulnerability types.
The type of the vulnerability reported most during this quarter is CWE-79 (Cross-Site Scripting) with 289 cases, followed by CWE-264 (Permissions, Privileges and Access Controls) with 143 cases, CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 130 cases.
CWE-79 (Cross-Site Scripting) could allow an attacker to access important data, modify them and/or do possibly other things by executing malicious scripts on the PC running a browser.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Courses”(*7) to promote secure programming, “AppGoat”(*8) to help learn and understand vulnerability through practice and exercise, and “AnCoLe”(*9) for Android application developers to learn about and scan vulnerabilities.
Figure 2-2 shows the annual change in the severity of vulnerabilities newly added to JVN iPedia based on the date they were first published.
As of the end of March 2015, 40.4 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.1 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software to the latest version or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the type of software applications newly added to JVN iPedia for having vulnerabilities, based on their disclosure date. Application vulnerabilities are published most and account for 85.2 percent of the total.
Since 2008, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be publically reported. As of 2015/1Q, the total of 632 ICS vulnerabilities has been registered. (Figure 2-4)
Table 2-4 lists the top 20 software whose vulnerabilities were most registered/updated during the 1st quarter (January to March) of 2015. As shown below, browsers - Google Chrome and Microsoft Internet Explorer - ranked 1st and 2nd respectively, and the number of vulnerabilities found in them is outstanding compared to others. Below the top 2, operating systems (OS) from widely popular vendors, such as Apple, Microsoft and Oracle, dominate the ranking.
Besides browsers and OS, JVN iPedia stores vulnerability information on a variety of software, such as OpenSSL, a cryptography library used in a wide range of products. IT users could check vulnerability information about the software they use with JVN iPedia and take action efficiently(*10).
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Google Chrome (Google)||109|
|2||Browser||Microsoft Internet Explorer (Microsoft)||94|
|3||OS||Apple Mac OS X (Apple)||43|
|4||Media Player||Adobe Flash Player (Adobe Systems)||42|
|5||OS||Microsoft Windows Server 2012 (Microsoft)||39|
|6||OS||Microsoft Windows Server 2008 (Microsoft)||38|
|7||OS||Microsoft Windows 8.1 (Microsoft)||37|
|8||OS||Microsoft Windows 8 (Microsoft)||36|
|9||OS||Microsoft Windows 7 (Microsoft)||35|
|10||OS||Microsoft Windows RT (Microsoft)||33|
|11||OS||Microsoft Windows Vista (Microsoft)||30|
|11||Browser||Mozilla Firefox (Mozilla Foundation)||30|
|13||OS||Microsoft Windows Server 2003 (Microsoft)||29|
|14||OS||Oracle Solaris (Oracle)||27|
|14||OS||Microsoft Windows RT 8.1 (Microsoft)||27|
|17||OS||Cisco IOS (Cisco)||24|
|18||OS||Linux Kernel (Kernel.org)||21|
|19||Cryptography Library||OpenSSL (OpenSSL Project)||20|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 1st quarter of 2015 (January – March). The OpenSSL vulnerabilities ranked 1st, 2nd, 6th, 10th, 11th, 13th, 15th, 17th, and 18th, accounting 9 out of top 20, which suggests OpenSSL has attracted a lot of attention. The software widely used by various commercial products, such as glibc, ntp, php and Oracle Java SE, are also ranked in, which shows high attention paid by users.
|1||JVNDB-2015-001009||ssl3_get_key_exchange function in s3_clnt.c in OpenSSL vulnerable to RSA-to-EXPORT_RSA downgrade attacks (Japanese)||5.0||2015/1/13|
|2||JVNDB-2014-004670||SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections (Japanese)||4.3||2014/10/16|
|3||JVNDB-2015-001251||glibc library buffer overflow vulnerability (Japanese)||10.0||2015/1/29|
|4||JVNDB-2015-001596||Netlogon server implementation in smbd in Samba vulnerable to arbitrary code execution (Japanese)||10.0||2015/2/25|
|5||JVNDB-2014-005869||SSL profiles component in multiple F5 products allows an attacker to obtain cleartext data (Japanese)||4.3||2014/12/11|
|6||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|7||JVNDB-2014-007416||Vulnerability in GNOME Shell allows an attacker to execute arbitrary command on the unmanned work station (Japanese)||7.2||2015/1/5|
|8||JVNDB-2015-001252||process_nested_data function in ext/standard/var_unserializer.re in PHP vulnerable to arbitrary code execution (Japanese)||7.5||2015/1/29|
|9||JVNDB-2014-007352||Stack-based buffer overflow vulnerability in ntpd in NTP (Japanese)||7.5||2014/12/24|
|10||JVNDB-2015-001011||dtls1_buffer_record function in d1_pkt.c in OpenSSL vulnerable to denial of service (DoS) (Japanese)||5.0||2015/1/13|
|11||JVNDB-2014-007389||ssl23_get_client_hello function in s23_srvr.c in OpenSSL vulnerable to denial of service (DoS) (Japanese)||5.0||2014/12/25|
|12||JVNDB-2015-000019||Squid input validation vulnerability||4.3||2015/2/20|
|13||JVNDB-2015-001010||ssl3_get_cert_verify function in s3_srvr.c in OpenSSL vulnerable to unauthorized access (DH client certificates accepted without verification) (Japanese)||5.0||2015/1/13|
|14||JVNDB-2015-000007||Vulnerability in multiple VMware products allows an attacker to overwrite arbitrary files||6.0||2015/1/29|
|15||JVNDB-2014-007552||OpenSSL denial-of-service (DoS) vulnerability (Japanese)||5.0||2015/1/13|
|16||JVNDB-2015-001253||exif_process_unicode function in ext/exif/exif.c in PHP vulnerable to arbitrary code execution (Japanese)||6.8||2015/1/29|
|17||JVNDB-2014-007551||BN_sqr implementation in OpenSSL allows an attacker to defeat cryptographic protection mechanisms (Japanese)||5.0||2015/1/13|
|18||JVNDB-2014-007554||Vulnerability in OpenSSL allows an attacker to defeat a fingerprint-based certificate-blacklist protection mechanism (Japanese)||5.0||2015/1/13|
|19||JVNDB-2015-001665||Vulnerability in Schannel in multiple Microsoft Windows products allows an attacker to conduct cipher-downgrade attacks to EXPORT_RSA ciphers (Japanese)||5.0||2015/3/9|
|20||JVNDB-2015-001085||Vulnerability in Oracle Java SE Hotspot (Japanese)||10.0||2015/1/21|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. Top 2 vulnerabilities were disclosed this quarter.
The severity of the vulnerabilities ranked 4th and 5th is level lll (High) with the highest CVSS Base Score “10”. The score “10” indicates that because an attacker can easily exploit the vulnerability remotely via the Internet without authentication, serious harm may be done if attacked.
|1||JVNDB-2015-001268||Cross-site Scripting Vulnerability in Hitachi Command Suite Products||4.3||2015/2/2|
|2||JVNDB-2015-001269||Cross-site Scripting Vulnerability in Hitachi Application Server Help||4.3||2015/2/2|
|3||JVNDB-2014-004833||Vulnerability in JP1/NETM/DM and Job Management Partner 1/Software Distribution data reproduction functionality||4.6||2014/10/20|
|4||JVNDB-2014-005987||Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i||10.0||2014/12/16|
|5||JVNDB-2014-005986||Multiple buffer overflows in Hitachi JP1/Cm2/Network Node Manager i||10.0||2014/12/16|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2013 and before||Published in 2014||Published in 2015|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Security Alert: Upcoming End-of-Support for Java SE
(*5) Security Alert: Upcoming End-of-Support for Windows Server 2003
(*6) Oracle Java SE Support Roadmap
(*7) Secure Programming Courses
(*8) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*9) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
(*10) IPA Technical Watch: Tips on Vulnerability Management (Practice)
The guide gives tips on how to efficiently and efficiently collect and use vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)