Feb. 26, 2016
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ Total of 58,094 vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2015 (October 1 to December 31, 2015) is shown in the table below. As of the end of December 2015, the total number of vulnerabilities stored in JVN iPedia is 58,094 (See Table 1-1, Figure 1-1).
As for the English version, the total of 1,337 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||4 cases||172 cases|
|JVN||355 cases||6,077 cases|
|NVD||1,260 cases||51,845 cases|
|Total||1,619 cases||58,094 cases|
|English Version||Domestic Product Developers||4 cases||172 cases|
|JVN||52 cases||1,165 cases|
|Total||56 cases||1,337 cases|
~ Exploited vulnerabilities were those in older versions of popular software. Keep software up to date ~
IPA issued a monthly security alert on ransomware in January 2016 (*4). The alert was our response to the increase of requests for consultation to IPA Security Help Desk regarding ransomware infection via email or websites after April 2015.
According to JPCERT/CC’s security alert (*5) and reports by a security vendor (*6)(*7), vulnerabilities in Microsoft products and Adobe Flash Player have been actively exploited in ransomware attacks. As shown in Table 1-2, information on all those vulnerabilities have been available on JVN iPedia.
|No||ID||Title||Date of |
|Date of Attack|
|Windows OLE Automation Array Remote Code Execution Vulnerability||2014/11/11||2015/5/6|
|Adobe Flash Player Arbitrary Code Execution Vulnerability||2015/2/5||2015/5/6|
|Adobe Flash Player Arbitrary Code Execution Vulnerability||2015/10/14||2015/12/1|
Vulnerability information and security fixes for these vulnerabilities were available before attacks exploiting them were confirmed. That means no infection would have happened if users had updated their software immediately.
According to IPA Security Awareness Survey 2015 released last year on December 24 (*8), 18.2 percent of Adobe Flash Player users said they do not do updates. Likewise, 55.9 percent of all responders said they do not apply security patches (e.g. Windows Update). When asked why, more than 30 percent said because they do not understand what a security prompt/message is saying.
PC users are required to keep software they are using up to date. But the survey result shows that a certain proportion of PC users hit a wall at the very first step of patching. IPA offers a free tool called MyJVN Version Checker (*9) that enables users to check if software installed in their PC is up to date. IPA recommends users use such a tool as well as security software.
~ 85 percent of Windows SQL Server 2005 vulnerabilities are the most critical "Level III - High”~
Microsoft Japan Company Limited is going to end the support for Windows SQL Server 2005 on April 12, 2016. If continuing using a Windows SQL Server 2005 system, it may become riddled with vulnerabilities and end up with various undesirable consequences, such as virus infection and/or system hijack because security patches will be no longer available after the end of support date.
According to Microsoft Japan, as of December 2, 2015, about 120,000 machines are still using Windows SQL Server 2005, and 70,000 of them are using the free version embedded in business software packages like accounting software (*10). Business software packages are used for business management, such as human resource management, sales management and financing and accounting, and often store aggregated data. In case of security incidents, those software packages should be used in a safe environment.
JVN iPedia has 20 Windows SQL Server 2005 vulnerabilities. 85 percent of them (17 vulnerabilities) are the most critical "Level III – High". It is more than double the proportion of "High" among all registered vulnerabilities (Figure 1-3).
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2015, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 4th quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 355 cases, followed by CWE-264 (Permissions, Privileges and Access Controls with 179 cases, CWE-200 (Information Exposure) with 166 cases, and CWE-20 (Improper Input Validation) with 106 cases. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to cause various undesirable consequences, such as unauthorized access to data, modify them and/or execute arbitrary code on the affected server and PC. More than 60 percent of CVE-119 vulnerabilities are found in Microsoft or Apple OS and browsers.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*11) for website developers and operators to create a secure website, “AppGoat” (*12) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*13) for Android application developers to scan vulnerability in their applications.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of December 31, 2015, 40.3 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher - critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been published most in 2015, accounting for 77.3 percent of the annual total. OS vulnerabilities are 19.5 percent, increasing double fold since the last year.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/4Q, the total of 770 ICS vulnerabilities has been registered. (Figure 2-4)
Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 4th quarter (October to December) of 2015. As shown below, the 1st to 3rd are browsers, and the 4th and under that are widely-used software by big vendors like Adobe Systems, Apple and Oracle.
IPA hopes developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*14).
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Microsoft Internet Explorer (Microsoft)||190|
|2||Browser||Google Chrome (Google)||167|
|3||Browser||Microsoft Edge (Microsoft)||141|
|4||OS||Apple Mac OS X (Apple)||134|
|5||Development Environment||Adobe Flash Player (Adobe Systems)||120|
|6||Development Environment||Adobe Air SDK & Compiler (Adobe Systems)||117|
|6||Development Environment||Adobe Air SDK (Adobe Systems)||117|
|6||Development Environment||Adobe Air (Adobe Systems)||117|
|11||PDF Viewer||Adobe Reader (Adobe Systems)||59|
|11||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||59|
|14||Browser||Mozilla Firefox (Mozilla Foundation)||45|
|17||Development Environment||JRE (Oracle)||42|
|17||Development Environment||JDK (Oracle)||42|
|20||OS||Microsoft Windows 7 (Microsoft)||27|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2015 (October – December).
The top is a vulnerability in widely-used routers by several vendors. For their prevalence, it probably attracted lots of accesses even though its severity was low. The 2nd is a vulnerability in popular games. It was picked up by many blogs and news sties, likely leading to a high number of access. For the vulnerabilities in Cybozu Garoon ranked at the 5th and 8th, IPA issued a security alert because their severity is high and ramification of their exploitation could be huge. Other notable ranked-ins are OpenSSL’s vulnerabilities, which are the 7th, 14th and 18th.
|1||JVNDB-2015-000172||Multiple routers contain issue in preventing clickjacking attacks||2.6||2015/10/30|
|2||JVNDB-2015-000174||Multiple TYPE-MOON games vulnerable to OS command injection||6.8||2015/11/5|
|3||JVNDB-2015-000158||Pref. Shimane CMS vulnerable to SQL injection||6.5||2015/10/9|
|4||JVNDB-2015-005930||Apache Commons Collections Java library insecurely deserializes data (Japanese only)||7.5||2015/11/17|
|5||JVNDB-2015-000151||Multiple PHP code execution vulnerabilities in Cybozu Garoon||8.5||2015/10/7|
|6||JVNDB-2015-000141||Python for Windows may insecurely load dynamic libraries||6.8||2015/10/1|
|7||JVNDB-2015-001009||ssl3_get_key_exchange function in s3_clnt.c in OpenSSL vulnerable to RSA-to-EXPORT_RSA downgrade attacks (Japanese only)||4.3||2015/1/13|
|8||JVNDB-2015-000152||Cybozu Garoon vulnerable to LDAP injection||7.0||2015/10/7|
|9||JVNDB-2015-000153||Dojo Toolkit cross-site scripting vulnerability||4.3||2015/10/9|
|10||JVNDB-2015-000154||phpRechnung vulnerable to SQL injection||6.5||2015/10/9|
|11||JVNDB-2015-000160||Avast vulnerable to directory traversal||4.3||2015/10/16|
|12||JVNDB-2015-000149||gollum vulnerable to file exposure||4.3||2015/10/2|
|13||JVNDB-2015-000166||EC-CUBE cross-site request forgery vulnerability||5.1||2015/10/26|
|14||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|15||JVNDB-2015-000148||Dotclear vulnerable to cross-site scripting||2.6||2015/10/2|
|16||JVNDB-2015-000159||Party Track SDK for iOS fails to verify server certificates||4.0||2015/10/14|
|17||JVNDB-2014-000096||Shutter vulnerable to cross-site scripting||2.6||2014/8/15|
|18||JVNDB-2014-004670||SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections (Japanese only)||4.3||2014/10/16|
|19||JVNDB-2015-000126||eXtplorer vulnerable to cross-site request forgery||5.1||2015/10/15|
|20||JVNDB-2015-000171||HTML::Scrubber vulnerable to cross-site scripting||2.6||2015/10/30|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic software developers. If using the vulnerable software, system administrators should apply security patches or updates to their system as soon as possible to mitigate damage.
|1||JVNDB-2015-006054||XML External Entity (XXE) Vulnerability in Hitachi Command Suite||5.0||2015/12/1|
|2||JVNDB-2015-006129||Multiple Cross-site Scripting Vulnerabilities in EUR||3.5||2015/12/9|
|3||JVNDB-2015-006130||Vulnerability in JP1/Automatic Job Management System 3||5.0||2015/12/9|
|4||JVNDB-2015-006527||Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration||4.3||2015/12/28|
|5||JVNDB-2014-002800||Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option||3.5||2014/6/11|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2013 and before||Published in 2014||Published in 2015|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Make backups regularly in case of ransomware infection
(*5) JPCERT/CC: Security Alert for Ransomware
(*6) What’s the true identity of .vvv virus? Spread of ransomware “CrypTesla” is limited
(*7) Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware
(*8) https://www.ipa.go.jp/security/fy27/reports/ishiki/index.html (Japanese)
(*9) MyJVN Version Checker
(*10) Support Migration from end-of-support Windows SQL Server 2005 – Continued use could pose security risks
(*11) How to Secure Your Websites
(*12) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*13) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
(*14) IPA Technical Watch - Daily Practice: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)