Aug. 21, 2015
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ Total of 54,714 vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2015 (April 1 to June 30, 2015) is shown in the table below. As of the end of June 2015, the total number of vulnerabilities stored in JVN iPedia is 54,714 (See Table 1-1, Figure 1-1).
As for the English version, it stores the total of 1,228 vulnerabilities as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||168 cases|
|JVN||178 cases||5,396 cases|
|NVD||1,299 cases||49,150 cases|
|Total||1,479 cases||54,714 cases|
|English Version||Domestic Product Developers||2 cases||168 cases|
|JVN||42 cases||1,060 cases|
|Total||44 cases||1,228 cases|
~ Vulnerabilities in medical systems and devices have been reported: Be aware of the risk of data breach and/or malfunction ~
In May 2015, a foreign security vendor has published a report on medical device hijack (*4). According to the report, there were incidents where medical devices infected with malware were abused as an attack launching point within the hospital’s internal network to steal data. Medical product software used in medical facilities may have vulnerabilities and they could be exploited by attackers to cause serious damage.
Table 1-2 is a list of JVN iPedia-stored vulnerabilities found in the systems and devices that handle medical data or are used in medical treatment. JVN iPedia began to publish vulnerability information about medical product software on February 9, 2012, and stores 22 vulnerabilities as of June 2015. Among them, 12 are about OpenEMR, an electronic health record and medical practice management software, and 3 are about Hospira MedNet, a medication management software.
The medical product software vulnerabilities published on JVN iPedia so far are mostly from the foreign sources, such as NVD (*5). Even if vulnerable products are foreign products, they would affect Japanese users and patients if those products are used in Japan. Or, vulnerability can be found in Japanese medical product software, too. The users and patients should be aware that medical product software may have vulnerabilities and they may be exploited just like PC software vulnerabilities.
For example, if a system that handles patients’ medical information has vulnerability, it may lead to the leak of the very sensitive data. If a medical device used for treatment has vulnerability, it may allow an attacker to cause malfunction. Administrators of medical facilities and users/patients of medical treatment devices are advised to recheck if the products they are using have vulnerability and take necessary actions.
See also a security alert on how to implement layered security (*6) to avoid damage inflicted by attacks.
~ 62% of Windows Server 2003 vulnerabilities reported in the past year are the most “critical” ~
The official support for Windows Server 2003 provided by Microsoft Corporation was ended on July 15, 2015 (Japan Standard Time). After the end of support, security patches will be no longer available for Windows Server 2003.
During the past year, from July 2014 to June 2015, 69 vulnerabilities were found in Windows Server 2013 and registered to JVN iPedia. Among them, 62 percent were the most critical “Level lll (High)” vulnerabilities. Comparing the ratio of the Level lll (High) vulnerabilities of Windows Server 2003 to that of the overall vulnerabilities registered to JVN iPedia during the same time period (26 percent), it is more than double (Figure 1-3-1).
Figure 1-3-2 shows the number and severity of Windows Server 2003 vulnerabilities registered to JVN iPedia in the past year. As for those fixed and disclosed in June, 11 out of 12 were classified as level III (High). Critical vulnerabilities were still found right before the end of support (*7).
Even if the existence of other vulnerabilities is confirmed in an end of support product, no security patches will be available and the vulnerability will not be resolved. That means that keeping using the end of support software could lead to various undesirable consequences, such as malware infection and system hijack through attacks that exploit unfixed vulnerabilities.
System administrators should see if the software they are using is indeed supported and if there is end of support or soon-to-be end of support software, develop a migration plan and move to newer, supported versions, as needed.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 2nd quarter of 2015, sorted by the CWE vulnerability types (*8).
The type of the vulnerabilities reported most in the 2nd quarter is CWE-79 (Cross-Site Scripting) with 192 cases, followed by CWE-200 (Information Exposure) with 148 cases and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 131 cases.
CWE-79 (Cross-Site Scripting), the most reported vulnerability type this quarter, could allow an attacker to access important data, modify them and/or do possibly other things by executing malicious scripts on the PC running a browser.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “AppGoat” (*9) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*10) for Android application developers to learn about and scan vulnerabilities.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of June 2015, 40.2 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.6 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software to the latest version or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the type of software reported for having vulnerability. Application vulnerabilities have been published most and account for 85.2 percent of the total.
Since 2008, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/2Q, the total of 668 ICS vulnerabilities has been registered. (Figure 2-4)
Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 2nd quarter (April to June) of 2015. As shown below, the 1st, 2nd and 6th are browsers (Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox, respectively). Below the 3rd, media players, PDF viewers/editors and operating systems of widely popular vendors, such as Adobe Systems, Apple and Microsoft, are dominating the ranking.
Besides widely used browsers and operating systems, JVN iPedia stores vulnerability information on a variety of software, including libraries. We hope developers and users will make use of JVN iPedia to check vulnerability information about the software they are using efficiently and take action swiftly(*11)..
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Microsoft Internet Explorer (Microsoft)||110|
|2||Browser||Google Chrome (Google)||96|
|3||Media Player||Adobe Flash Player (Adobe Systems)||53|
|5||OS||Apple Mac OS X (Apple)||35|
|6||Browser||Mozilla Firefox (Mozilla Foundation)||34|
|6||OS||Microsoft Windows Server 2008 (Microsoft)||34|
|8||OS||Microsoft Windows Server 2012 (Microsoft)||32|
|8||OS||Microsoft Windows 7 (Microsoft)||32|
|8||PDF Viewer||Adobe Reader (Adobe Systems)||32|
|8||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||32|
|12||OS||Microsoft Windows Vista (Microsoft)||31|
|Adobe Air (Adobe Systems)||31|
|12||Development Environment||Adobe Air SDK (Adobe Systems)||31|
|15||OS||Microsoft Windows 8.1 (Microsoft)||30|
|16||OS||Microsoft Windows 8 (Microsoft)||29|
|17||OS||Microsoft Windows RT (Microsoft)||28|
|18||OS||Debian GNU/Linux (Debian)||27|
|19||e-Learning System||Moodle (Moodle)||25|
|20||OS||Microsoft Windows Server 2003 (Microsoft)||24|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 2nd quarter of 2015 (April – June). The 1st and 11th are Lhaplus vulnerabilities. Lhaplus is a file compression/depression software so widely used on PCs that it has attracted a lot of attention. OpenSSL vulnerabilities ranked 3rd, 4th, 6th, 9h and 13th, accounting 25 percent of the top 20. The 2nd Hospira Lifecare PCA Insulin Pump and the 16th Boosted Boards Skateboard were viewed a lot as well. If the vulnerabilities in them were exploited, it could directly cause physical harm.
|1||JVNDB-2015-000051||Lhaplus Remote Code Execution Vulnerability (Japanese)||6.8||2015/4/9|
|2||JVNDB-2015-002513||Hospira Lifecare PCA Infusion System Improper Authorization Vulnerability (Japanese)||10.0||2015/5/1|
|3||JVNDB-2015-002764||TLS protocol vulnerable to cipher downgrade attacks (Japanese)||4.3||2015/5/22|
|4||JVNDB-2015-001009||ssl3_get_key_exchange function in s3_clnt.c in OpenSSL vulnerable to RSA-to-EXPORT_RSA downgrade attacks (Japanese)||4.3||2015/1/13|
|5||JVNDB-2014-000096||Shutter Cross-Site Scripting Vulnerability (Japanese)||2.6||2014/8/15|
|6||JVNDB-2014-004670||SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections||4.3||2014/10/16|
|7||JVNDB-2015-003050||multipart_buffer_headers function in main/rfc1867.c in PHP vulnerable to denial of service (DoS) (Japanese)||5.0||2015/6/12|
|8||JVNDB-2015-002668||QEMU floppy disk controller used in Xen and KVM vulnerable to denial of service (DoS) (Japanese)||7.7||2015/5/15|
|9||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message (Japanese)||4.0||2014/6/6|
|10||JVNDB-2015-000085||Multiple Buffalo wireless LAN routers vulnerable to OS command injection (Japanese)||5.2||2015/6/5|
|11||JVNDB-2015-000050||Lhaplus Directory Traversal Vulnerability (Japanese)||2.6||2015/4/2|
|12||JVNDB-2015-000048||Hidemaru Editor Buffer Overflow Vulnerability||6.8||2015/4/2|
|13||JVNDB-2015-001887||crypto/evp/encode.c in the base64-decoding implementation in OpenSSL vulnerable to integer underflow (Japanese)||7.5||2015/3/23|
|14||JVNDB-2015-002263||HTTP.sys in multiple Microsoft Windows products vulnerable to remote code execution||10.0||2015/4/16|
|15||JVNDB-2015-000042||The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass (Japanese)||4.3||2015/3/24|
|16||JVNDB-2015-002216||Boosted Boards Skateboards vulnerable to attacks that allow an attacker to modify their movement (Japanese)||8.3||2015/4/15|
|17||JVNDB-2015-001596||Netlogon server implementation in smbd in Samba vulnerable to arbitrary code execution (Japanese)||10.0||2015/2/25|
|18||JVNDB-2015-001959||JBoss RichFaces vulnerable to arbitrary Java code execution (Japanese)||7.5||2015/3/30|
|19||JVNDB-2015-002044||RC4 algorithm used in TLS protocol and SSL protocol vulnerable to plaintext-recovery attacks against the initial bytes of a stream (Japanese)||4.3||2015/4/6|
|20||JVNDB-2015-002103||IPv4 implementation in Linux Kernel vulnerable to denial od service (DoS) (Japanese)||7.8||2015/4/7|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. After considering the impact on the business services, system administrators should apply security patches or updates provided by vendor to their affected system as soon as possible to prevent damage.
|1||JVNDB-2015-002706||Information Disclosure Vulnerability in JP1/Integrated Management - Universal CMDB||5.8||2015/5/19|
|2||JVNDB-2015-002705||Problem with directory permissions in JP1/Automatic Operation||3.3||2015/5/19|
|3||JVNDB-2014-002800||Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option||3.5||2014/6/11|
|4||JVNDB-2014-001594||Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i||6.5||2014/3/11|
|5||JVNDB-2014-004833||Vulnerability in JP1/NETM/DM and Job Management Partner 1/Software Distribution data reproduction functionality||4.6||2014/10/20|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2013 and before||Published in 2014||Published in 2015|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) TrapX Security: Anatomy of An Attack – Medijack (Medical Device Hijack)
(*5) National Vulnerability Database: A vulnerability database operated by NIST.
(*6) IPA Press Release: Security Measures and Operational Management Based on the Inevitable Malware Infection
(*8) Common Weakness Enumeration
(*9) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*10) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
(*11) IPA Technical Watch: Tips on Vulnerability Management (Practice)
The guide gives tips on how to efficiently and efficiently collect and use vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)