Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 3rd Quarter (Jul. - Sep.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 3rd Quarter (Jul. - Sep.)]

Nov. 13, 2015
IT Security Center

1. 2015 3rd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2015 3Q

~ Total of 56,475 vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2015 (July 1 to September 30, 2015) is shown in the table below. As of the end of September 2015, the total number of vulnerabilities stored in JVN iPedia is 56,475 (See Table 1-1, Figure 1-1).

As for the English version, the total of 1,281 vulnerabilities is available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2015
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 0 cases 168 cases
JVN 326 cases 5,722 cases
NVD 1,435 cases 50,585 cases
Total 1,761 cases 56,475 cases
English Version Domestic Product Developers 0 cases 168 cases
JVN 53 cases 1,113 cases
Total 53 cases 1,281 cases

1-2. Hot Topic #1: Adobe Flash Player Vulnerabilities

~ 95 Adobe Flash Player vulnerabilities reported during 3Q, exceeding the previous year’s total, 76, in just three months ~

Figure 1-2-1 shows the number of Adobe Flash Player vulnerabilities registered to JVN iPedia in the last two years, from October 2013 to September 2015, by quarter. The number of Adobe Flash Player vulnerabilities disclosed through JVN iPedia during this quarter is 95, which means it exceeded the previous year’s total, 76, in just three months. Looking at the total number by year, it already reaches 190 so far this year, which is two and half times more than the previous year.

In early July of 2015, several Adobe Flash Player vulnerabilities, including zero days, were disclosed as a result of the data breach of an Italian firm that sells spy software to the governments all over the world (*4). After their disclosure, targeted attacks exploiting those vulnerabilities were observed.

Figure 1-2-2 shows the severity of Adobe Flash Player vulnerabilities registered this quarter (left) and that of all vulnerabilities registered to JVN iPedia (right) for comparison. Among the 3rd quarter’s 95 vulnerabilities, 89.5 percent were the severest “level III (High)”. Comparing to the rate of the “level III (High)” among all vulnerabilities, 40.1 percent, it is more than double.

When a web page is accessed, if Adobe Flash Player contents are contained in the page, usually they are automatically executed. For that, Internet users are likely watching web contents like videos without realizing they are using Adobe Flash Player. Because they are unaware of it, they do not apply security fixes for Adobe Flash Players, surf the Internet with a vulnerable Adobe Flash Player, and their device gets infected with malware. This could be one of the reasons that Adobe Flash Player vulnerabilities are hacker favorites.

Adobe Flash Player users need to keep it up to date, and If they do not use it, they had better disable it in the browser settings or uninstall it.

1-3. Hot Topic #2: Vehicle Software Vulnerabilities

~ Vehicle software vulnerability was disclosed with CVE and registered to JVN iPedia for the first time ~

A news story of vehicle software vulnerability that allowed an attacker to remotely hijack a vehicle made headlines in July 2015 (*5). The security researchers demonstrated that by exploiting vulnerability in the Uconnect software (*6) loaded on certain vehicles of Fiat Chrysler Automobiles (FCA), they could take control over the vehicles - for example, manipulate the steering wheel and shut down the engine. To respond to this vulnerability, FCA was pushed to issue a missive recall.

Like other NVD-based vulnerabilities, this vulnerability was translated into Japanese and published on JVN iPedia (*7), which made it the first vehicle software vulnerability registered to JVN iPedia.

Since the recent trend promotes embedding computer software into various devices to achieve a variety of services, it is anticipated that vulnerability not only in vehicles but also in a wide variety of devices would be reported and registered to JVN iPedia.

Users and system administrators of those devices should do vulnerability management – for example, keep eyes on vulnerability disclosure, and apply fixed and updates as soon as possible when they are released.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2015, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 349 cases, followed by CWE-79 (Cross-Site Scripting) with 165 cases, CWE-20 (Improper Input Validation) with 159 cases and CWE-200 (Information Exposure) with 152 cases. The most reported vulnerability title often goes to CWE-79, and it is quite rare that CWE-119 seizes the top spot as in this quarter. CWE-119 may allow an attacker to access important data and modify them by executing malicious code on an affected server or PC. As for this quarter’s 349 cases registered as CWE-119, vulnerabilities in browsers (e.g. Microsoft Internet Explorer, Apple Safari and Mozilla Firefox) and operating systems (e.g. Microsoft’s and Apple’s) account for more than 50 percent.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*8) for website developers and operators to create a secure website, “AppGoat” (*9) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*10) for Android application developers to learn about and scan vulnerabilities in their applications.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of September 2015, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.7 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been published most and account for 84.9 percent of the total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/3Q, the total of 708 ICS vulnerabilities has been registered. (Figure 2-4)

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 3rd quarter (July to September) of 2015. As shown below, the 1st and 3rd are Apple operating systems, and the 11th and from 13th to 18th are Microsoft operating systems, making operating systems account for about 50 percent. Moreover, the 2nd, 4th, 9th, 10th and 12th are browsers like Microsoft Internet Explorer and Google Chrome, making operating systems and browsers account for 70 percent of the total.

JVN iPedia stores vulnerability information on a variety of software, including the top 20 software. IPA hopes developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take action timely(*11).

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Jul. 2015 – Sep.2015]
RankCategoryProduct Name (Vendor) Number of
1 OS iOS (Apple) 181
2 Browser Microsoft Internet Explorer (Microsoft) 152
3 OS Apple Mac OS X (Apple) 134
4 Browser Google Chrome (Google) 128
5 Media Player Adobe Flash Player (Adobe Systems) 95
6 Development Environment Adobe Air SDK & Compiler (Adobe Systems) 92
6 Development Environment Adobe Air SDK (Adobe Systems) 92
6 Execution Environment Adobe Air (Adobe Systems) 92
9 Browser Mozilla Firefox (Mozilla Foundation) 72
10 Browser Microsoft Edge (Microsoft) 65
11 OS Microsoft Windows Server 2012 (Microsoft) 59
12 Browser Mozilla Firefox ESR (Mozilla Foundation) 57
13 OS Microsoft Windows 8.1 (Microsoft) 56
14 OS Microsoft Windows Server 2008 (Microsoft) 55
15 OS Microsoft Windows 8 (Microsoft) 54
16 OS Microsoft Windows RT (Microsoft) 52
17 OS Microsoft Windows 7 (Microsoft) 51
18 OS Microsoft Windows Vista (Microsoft) 49
19 PDF Viewer Adobe Reader (Adobe Systems) 45
19 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 45

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2015 (July – September). The top is vulnerability in PHP, a script language widely used in Japan. The 2nd and 3rd are vulnerability in Yodobashi. Many people viewed them likely because it is an official smartphone application of a major consumer electronics retailer in Japan.

Focusing on the vulnerability type, the 10th, 12th, 14th and 19th are cross-site scripting, the top and 4th are OS command injection, and the 11th and 18th are directory traversal. Cross-site scripting may allow an attacker to steal important data and/or modify them by executing malicious code on the user’s browser.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2015 – Sep. 2015]
1 JVNDB-2015-000101 PHP for Windows vulnerable to OS command injection 6.8 2015/7/17
2 JVNDB-2015-000110 Yodobashi App for Android vulnerable to arbitrary Java method execution 5.8 2015/8/7
3 JVNDB-2015-000111 Yodobashi App for Android fails to verify SSL server certificates 4.0 2015/8/7
4 JVNDB-2015-000109 yoyaku_v41 vulnerable to OS command injection 7.5 2015/7/29
5 JVNDB-2013-003469 Apache Struts vulnerable to remote command execution 7.5 2013/7/23
6 JVNDB-2015-000108 yoyaku_v41 vulnerable to authentication bypass 5.0 2015/7/29
7 JVNDB-2015-000107 yoyaku_v41 vulnerable to arbitrary file creation 7.5 2015/7/29
8 JVNDB-2015-000112 Microsoft Office discloses a file path of a local file 4.3 2015/8/12
9 JVNDB-2015-000106 Gazou BBS plus vulnerability in file upload processing 5.0 2015/7/28
10 JVNDB-2015-000103 Welcart vulnerable to cross-site scripting 2.6 2015/7/24
11 JVNDB-2014-000107 SLFileManager for Android vulnerable to directory traversal 4.3 2014/9/25
12 JVNDB-2015-000104 Research Artisan Lite vulnerable to cross-site scripting 4.3 2015/7/24
13 JVNDB-2015-000099 Thetis vulnerable to SQL injection 7.5 2015/7/15
14 JVNDB-2015-000096 Simple Oekaki BBS vulnerable to cross-site scripting 5.0 2015/7/10
15 JVNDB-2015-000105 Research Artisan Lite does not properly perform authentication 5.0 2015/7/24
16 JVNDB-2015-000097 Simple Oekaki BBS vulnerability where arbitrary files may be deleted 6.4 2015/7/10
17 JVNDB-2015-000092 OpenEMR vulnerable to authentication bypass 5.0 2015/6/30
18 JVNDB-2015-000098 acmailer vulnerable to directory traversal 4.0 2015/7/15
19 JVNDB-2015-000088 Ruby on Rails library Paperclip vulnerable to cross-site scripting 4.3 2015/6/18
20 JVNDB-2015-000090 namshi/jose fails to verify token signatures 5.0 2015/6/25

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2013 and before Published in 2014 Published in 2015


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database: A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) Hacking Team data breach reveals zero day vulnerabilities in Flash and Windows (Japanese)

(*5) Chrysler recalls 1.4 million vehicles to prevent hacking (Japanese)

(*6) Uconnect
An Internet-connected in-vehicle connectivity system for certain FCA vehicles

(*7) Vulnerability in Uconnect used in certain Fiat Chrysler Automobiles vehicles allows an attacker to control vehicle movement (Japanese)

(*8) How to Secure Your Website (Rev.7-2015) (Japanese)
How to Secure Your Website (Rev.5-2011) (English)

(*9) Hands-on vulnerability learning and experiencing tool “AppGoat” (Japanese)

(*10) Android Application Vulnerability Learning/Checking Tool “AnCoLe” (Japanese)

(*11) IPA Technical Watch - Daily Practice: Tips on Vulnerability Management The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information. (Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)