Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 2nd Quarter (Apr. -Jun.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 2nd Quarter (Apr. -Jun.)]

Aug. 21, 2015
IT Security Center

1. 2015 2nd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2015 2Q

~ Total of 54,714 vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2015 (April 1 to June 30, 2015) is shown in the table below. As of the end of June 2015, the total number of vulnerabilities stored in JVN iPedia is 54,714 (See Table 1-1, Figure 1-1).

As for the English version, it stores the total of 1,228 vulnerabilities as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 2nd Quarter of 2015
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 2 cases 168 cases
JVN 178 cases 5,396 cases
NVD 1,299 cases 49,150 cases
Total 1,479 cases 54,714 cases
English Version Domestic Product Developers 2 cases 168 cases
JVN 42 cases 1,060 cases
Total 44 cases 1,228 cases

1-2. Hot Topic #1: Vulnerabilities in Medical Product Software

~ Vulnerabilities in medical systems and devices have been reported: Be aware of the risk of data breach and/or malfunction ~

In May 2015, a foreign security vendor has published a report on medical device hijack (*4). According to the report, there were incidents where medical devices infected with malware were abused as an attack launching point within the hospital’s internal network to steal data. Medical product software used in medical facilities may have vulnerabilities and they could be exploited by attackers to cause serious damage.

Table 1-2 is a list of JVN iPedia-stored vulnerabilities found in the systems and devices that handle medical data or are used in medical treatment. JVN iPedia began to publish vulnerability information about medical product software on February 9, 2012, and stores 22 vulnerabilities as of June 2015. Among them, 12 are about OpenEMR, an electronic health record and medical practice management software, and 3 are about Hospira MedNet, a medication management software.

Table 1-2 Vulnerabilities in Medical Product Software Stored in JVN iPedia

The medical product software vulnerabilities published on JVN iPedia so far are mostly from the foreign sources, such as NVD (*5). Even if vulnerable products are foreign products, they would affect Japanese users and patients if those products are used in Japan. Or, vulnerability can be found in Japanese medical product software, too. The users and patients should be aware that medical product software may have vulnerabilities and they may be exploited just like PC software vulnerabilities.

For example, if a system that handles patients’ medical information has vulnerability, it may lead to the leak of the very sensitive data. If a medical device used for treatment has vulnerability, it may allow an attacker to cause malfunction. Administrators of medical facilities and users/patients of medical treatment devices are advised to recheck if the products they are using have vulnerability and take necessary actions.

See also a security alert on how to implement layered security (*6) to avoid damage inflicted by attacks.

1-3. Hot Topic #2: End of Support Windows Server 2003 Vulnerabilities

~ 62% of Windows Server 2003 vulnerabilities reported in the past year are the most “critical” ~

The official support for Windows Server 2003 provided by Microsoft Corporation was ended on July 15, 2015 (Japan Standard Time). After the end of support, security patches will be no longer available for Windows Server 2003.

During the past year, from July 2014 to June 2015, 69 vulnerabilities were found in Windows Server 2013 and registered to JVN iPedia. Among them, 62 percent were the most critical “Level lll (High)” vulnerabilities. Comparing the ratio of the Level lll (High) vulnerabilities of Windows Server 2003 to that of the overall vulnerabilities registered to JVN iPedia during the same time period (26 percent), it is more than double (Figure 1-3-1).

Figure 1-3-2 shows the number and severity of Windows Server 2003 vulnerabilities registered to JVN iPedia in the past year. As for those fixed and disclosed in June, 11 out of 12 were classified as level III (High). Critical vulnerabilities were still found right before the end of support (*7).

Even if the existence of other vulnerabilities is confirmed in an end of support product, no security patches will be available and the vulnerability will not be resolved. That means that keeping using the end of support software could lead to various undesirable consequences, such as malware infection and system hijack through attacks that exploit unfixed vulnerabilities.

System administrators should see if the software they are using is indeed supported and if there is end of support or soon-to-be end of support software, develop a migration plan and move to newer, supported versions, as needed.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 2nd quarter of 2015, sorted by the CWE vulnerability types (*8).

The type of the vulnerabilities reported most in the 2nd quarter is CWE-79 (Cross-Site Scripting) with 192 cases, followed by CWE-200 (Information Exposure) with 148 cases and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 131 cases.

CWE-79 (Cross-Site Scripting), the most reported vulnerability type this quarter, could allow an attacker to access important data, modify them and/or do possibly other things by executing malicious scripts on the PC running a browser.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “AppGoat” (*9) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*10) for Android application developers to learn about and scan vulnerabilities.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of June 2015, 40.2 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.6 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software to the latest version or apply security patches as soon as possible when they become available.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported for having vulnerability. Application vulnerabilities have been published most and account for 85.2 percent of the total.

Since 2008, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/2Q, the total of 668 ICS vulnerabilities has been registered. (Figure 2-4)

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 2nd quarter (April to June) of 2015. As shown below, the 1st, 2nd and 6th are browsers (Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox, respectively). Below the 3rd, media players, PDF viewers/editors and operating systems of widely popular vendors, such as Adobe Systems, Apple and Microsoft, are dominating the ranking.

Besides widely used browsers and operating systems, JVN iPedia stores vulnerability information on a variety of software, including libraries. We hope developers and users will make use of JVN iPedia to check vulnerability information about the software they are using efficiently and take action swiftly(*11)..

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Apr. 2015 – Jun.2015]
RankCategoryProduct Name (Vendor) Number of
Vulnerability Registered
1 Browser Microsoft Internet Explorer (Microsoft) 110
2 Browser Google Chrome (Google) 96
3 Media Player Adobe Flash Player (Adobe Systems) 53
4 OS iOS (Apple) 43
5 OS Apple Mac OS X (Apple) 35
6 Browser Mozilla Firefox (Mozilla Foundation) 34
6 OS Microsoft Windows Server 2008 (Microsoft) 34
8 OS Microsoft Windows Server 2012 (Microsoft) 32
8 OS Microsoft Windows 7 (Microsoft) 32
8 PDF Viewer Adobe Reader (Adobe Systems) 32
8 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 32
12 OS Microsoft Windows Vista (Microsoft) 31
12 Development/Execution
Adobe Air (Adobe Systems) 31
12 Development Environment Adobe Air SDK (Adobe Systems) 31
15 OS Microsoft Windows 8.1 (Microsoft) 30
16 OS Microsoft Windows 8 (Microsoft) 29
17 OS Microsoft Windows RT (Microsoft) 28
18 OS Debian GNU/Linux (Debian) 27
19 e-Learning System Moodle (Moodle) 25
20 OS Microsoft Windows Server 2003 (Microsoft) 24

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 2nd quarter of 2015 (April – June). The 1st and 11th are Lhaplus vulnerabilities. Lhaplus is a file compression/depression software so widely used on PCs that it has attracted a lot of attention. OpenSSL vulnerabilities ranked 3rd, 4th, 6th, 9h and 13th, accounting 25 percent of the top 20. The 2nd Hospira Lifecare PCA Insulin Pump and the 16th Boosted Boards Skateboard were viewed a lot as well. If the vulnerabilities in them were exploited, it could directly cause physical harm.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Apr. 2015 – Jun. 2015]
1 JVNDB-2015-000051 Lhaplus Remote Code Execution Vulnerability (Japanese) 6.8 2015/4/9
2 JVNDB-2015-002513 Hospira Lifecare PCA Infusion System Improper Authorization Vulnerability (Japanese) 10.0 2015/5/1
3 JVNDB-2015-002764 TLS protocol vulnerable to cipher downgrade attacks (Japanese) 4.3 2015/5/22
4 JVNDB-2015-001009 ssl3_get_key_exchange function in s3_clnt.c in OpenSSL vulnerable to RSA-to-EXPORT_RSA downgrade attacks (Japanese) 4.3 2015/1/13
5 JVNDB-2014-000096 Shutter Cross-Site Scripting Vulnerability (Japanese) 2.6 2014/8/15
6 JVNDB-2014-004670 SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections 4.3 2014/10/16
7 JVNDB-2015-003050 multipart_buffer_headers function in main/rfc1867.c in PHP vulnerable to denial of service (DoS) (Japanese) 5.0 2015/6/12
8 JVNDB-2015-002668 QEMU floppy disk controller used in Xen and KVM vulnerable to denial of service (DoS) (Japanese) 7.7 2015/5/15
9 JVNDB-2014-000048 OpenSSL improper handling of Change Cipher Spec message (Japanese) 4.0 2014/6/6
10 JVNDB-2015-000085 Multiple Buffalo wireless LAN routers vulnerable to OS command injection (Japanese) 5.2 2015/6/5
11 JVNDB-2015-000050 Lhaplus Directory Traversal Vulnerability (Japanese) 2.6 2015/4/2
12 JVNDB-2015-000048 Hidemaru Editor Buffer Overflow Vulnerability 6.8 2015/4/2
13 JVNDB-2015-001887 crypto/evp/encode.c in the base64-decoding implementation in OpenSSL vulnerable to integer underflow (Japanese) 7.5 2015/3/23
14 JVNDB-2015-002263 HTTP.sys in multiple Microsoft Windows products vulnerable to remote code execution 10.0 2015/4/16
15 JVNDB-2015-000042 The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass (Japanese) 4.3 2015/3/24
16 JVNDB-2015-002216 Boosted Boards Skateboards vulnerable to attacks that allow an attacker to modify their movement (Japanese) 8.3 2015/4/15
17 JVNDB-2015-001596 Netlogon server implementation in smbd in Samba vulnerable to arbitrary code execution (Japanese) 10.0 2015/2/25
18 JVNDB-2015-001959 JBoss RichFaces vulnerable to arbitrary Java code execution (Japanese) 7.5 2015/3/30
19 JVNDB-2015-002044 RC4 algorithm used in TLS protocol and SSL protocol vulnerable to plaintext-recovery attacks against the initial bytes of a stream (Japanese) 4.3 2015/4/6
20 JVNDB-2015-002103 IPv4 implementation in Linux Kernel vulnerable to denial od service (DoS) (Japanese) 7.8 2015/4/7

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. After considering the impact on the business services, system administrators should apply security patches or updates provided by vendor to their affected system as soon as possible to prevent damage.

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers [Apr. 2015 - Jun. 2015]
1 JVNDB-2015-002706 Information Disclosure Vulnerability in JP1/Integrated Management - Universal CMDB 5.8 2015/5/19
2 JVNDB-2015-002705 Problem with directory permissions in JP1/Automatic Operation 3.3 2015/5/19
3 JVNDB-2014-002800 Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option 3.5 2014/6/11
4 JVNDB-2014-001594 Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i 6.5 2014/3/11
5 JVNDB-2014-004833 Vulnerability in JP1/NETM/DM and Job Management Partner 1/Software Distribution data reproduction functionality 4.6 2014/10/20

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score
= 0.0~3.9
Severity Level = I (Low)
CVSS Base Score
= 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score
= 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2013 and before Published in 2014 Published in 2015


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database. A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) TrapX Security: Anatomy of An Attack – Medijack (Medical Device Hijack)

(*5) National Vulnerability Database: A vulnerability database operated by NIST.

(*6) IPA Press Release: Security Measures and Operational Management Based on the Inevitable Malware Infection

(*7) The number of the Windows Server 2003 vulnerabilities fixed in the last security patches before the end of support on July 15, 2015:11 (Severity: High: 5, Medium: 4, Low: 2)

(*8) Common Weakness Enumeration (Japanese)

(*9) Hands-on vulnerability learning and experiencing tool “AppGoat” (Japanese)

(*10) Android Application Vulnerability Learning/Checking Tool “AnCoLe” (Japanese)

(*11) IPA Technical Watch: Tips on Vulnerability Management (Practice)
The guide gives tips on how to efficiently and efficiently collect and use vulnerability information. (Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)