Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 4th Quarter (Oct. - Dec.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2015 4th Quarter (Oct. - Dec.)]

Feb. 26, 2016
IT Security Center

1. 2015 4th Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2015 4Q

~ Total of 58,094 vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2015 (October 1 to December 31, 2015) is shown in the table below. As of the end of December 2015, the total number of vulnerabilities stored in JVN iPedia is 58,094 (See Table 1-1, Figure 1-1).

As for the English version, the total of 1,337 vulnerabilities is available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 4th Quarter of 2015
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 4 cases 172 cases
JVN 355 cases 6,077 cases
NVD 1,260 cases 51,845 cases
Total 1,619 cases 58,094 cases
English Version Domestic Product Developers 4 cases 172 cases
JVN 52 cases 1,165 cases
Total 56 cases 1,337 cases

1-2. Hot Topic #1: Vulnerabilities Exploited by Ransomware

~ Exploited vulnerabilities were those in older versions of popular software. Keep software up to date ~

IPA issued a monthly security alert on ransomware in January 2016 (*4). The alert was our response to the increase of requests for consultation to IPA Security Help Desk regarding ransomware infection via email or websites after April 2015.

According to JPCERT/CC’s security alert (*5) and reports by a security vendor (*6)(*7), vulnerabilities in Microsoft products and Adobe Flash Player have been actively exploited in ransomware attacks. As shown in Table 1-2, information on all those vulnerabilities have been available on JVN iPedia.

Table 1-2. Date of Disclosure and Attack Confirmed
NoIDTitleDate of
Date of Attack
1 JVNDB-2014-005401
Windows OLE Automation Array Remote Code Execution Vulnerability 2014/11/11 2015/5/6
2 JVNDB-2015-001418
Adobe Flash Player Arbitrary Code Execution Vulnerability 2015/2/5 2015/5/6
3 JVNDB-2015-005288
Adobe Flash Player Arbitrary Code Execution Vulnerability 2015/10/14 2015/12/1

Vulnerability information and security fixes for these vulnerabilities were available before attacks exploiting them were confirmed. That means no infection would have happened if users had updated their software immediately.

According to IPA Security Awareness Survey 2015 released last year on December 24 (*8), 18.2 percent of Adobe Flash Player users said they do not do updates. Likewise, 55.9 percent of all responders said they do not apply security patches (e.g. Windows Update). When asked why, more than 30 percent said because they do not understand what a security prompt/message is saying.

PC users are required to keep software they are using up to date. But the survey result shows that a certain proportion of PC users hit a wall at the very first step of patching. IPA offers a free tool called MyJVN Version Checker (*9) that enables users to check if software installed in their PC is up to date. IPA recommends users use such a tool as well as security software.

1-3. Hot Topic #2: End of Support for Windows SQL Server 2005 Coming Up

~ 85 percent of Windows SQL Server 2005 vulnerabilities are the most critical "Level III - High”~

Microsoft Japan Company Limited is going to end the support for Windows SQL Server 2005 on April 12, 2016. If continuing using a Windows SQL Server 2005 system, it may become riddled with vulnerabilities and end up with various undesirable consequences, such as virus infection and/or system hijack because security patches will be no longer available after the end of support date.

According to Microsoft Japan, as of December 2, 2015, about 120,000 machines are still using Windows SQL Server 2005, and 70,000 of them are using the free version embedded in business software packages like accounting software (*10). Business software packages are used for business management, such as human resource management, sales management and financing and accounting, and often store aggregated data. In case of security incidents, those software packages should be used in a safe environment.

JVN iPedia has 20 Windows SQL Server 2005 vulnerabilities. 85 percent of them (17 vulnerabilities) are the most critical "Level III – High". It is more than double the proportion of "High" among all registered vulnerabilities (Figure 1-3).

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2015, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 4th quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 355 cases, followed by CWE-264 (Permissions, Privileges and Access Controls with 179 cases, CWE-200 (Information Exposure) with 166 cases, and CWE-20 (Improper Input Validation) with 106 cases. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to cause various undesirable consequences, such as unauthorized access to data, modify them and/or execute arbitrary code on the affected server and PC. More than 60 percent of CVE-119 vulnerabilities are found in Microsoft or Apple OS and browsers.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*11) for website developers and operators to create a secure website, “AppGoat” (*12) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*13) for Android application developers to scan vulnerability in their applications.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of December 31, 2015, 40.3 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 93 percent of the known vulnerabilities is level II or higher - critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been published most in 2015, accounting for 77.3 percent of the annual total. OS vulnerabilities are 19.5 percent, increasing double fold since the last year.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/4Q, the total of 770 ICS vulnerabilities has been registered. (Figure 2-4)

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 4th quarter (October to December) of 2015. As shown below, the 1st to 3rd are browsers, and the 4th and under that are widely-used software by big vendors like Adobe Systems, Apple and Oracle.

IPA hopes developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*14).

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Oct. 2015 – Dec.2015]
RankCategoryProduct Name (Vendor) Number of
1 Browser Microsoft Internet Explorer (Microsoft) 190
2 Browser Google Chrome (Google) 167
3 Browser Microsoft Edge (Microsoft) 141
4 OS Apple Mac OS X (Apple) 134
5 Development Environment Adobe Flash Player (Adobe Systems) 120
6 Development Environment Adobe Air SDK & Compiler (Adobe Systems) 117
6 Development Environment Adobe Air SDK (Adobe Systems) 117
6 Development Environment Adobe Air (Adobe Systems) 117
9 OS iOS (Apple) 101
10 OS Android (Google) 90
11 PDF Viewer Adobe Reader (Adobe Systems) 59
11 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 59
13 OS tvOS (Apple) 46
14 OS watchOS (Apple) 45
14 Browser Mozilla Firefox (Mozilla Foundation) 45
16 Middleware MySQL (Oracle) 43
17 Development Environment JRE (Oracle) 42
17 Development Environment JDK (Oracle) 42
19 OS Ubuntu (Ubuntu) 30
20 OS Microsoft Windows 7 (Microsoft) 27

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2015 (October – December).

The top is a vulnerability in widely-used routers by several vendors. For their prevalence, it probably attracted lots of accesses even though its severity was low. The 2nd is a vulnerability in popular games. It was picked up by many blogs and news sties, likely leading to a high number of access. For the vulnerabilities in Cybozu Garoon ranked at the 5th and 8th, IPA issued a security alert because their severity is high and ramification of their exploitation could be huge. Other notable ranked-ins are OpenSSL’s vulnerabilities, which are the 7th, 14th and 18th.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Oct. 2015 – Dec. 2015]
1 JVNDB-2015-000172 Multiple routers contain issue in preventing clickjacking attacks 2.6 2015/10/30
2 JVNDB-2015-000174 Multiple TYPE-MOON games vulnerable to OS command injection 6.8 2015/11/5
3 JVNDB-2015-000158 Pref. Shimane CMS vulnerable to SQL injection 6.5 2015/10/9
4 JVNDB-2015-005930 Apache Commons Collections Java library insecurely deserializes data (Japanese only) 7.5 2015/11/17
5 JVNDB-2015-000151 Multiple PHP code execution vulnerabilities in Cybozu Garoon 8.5 2015/10/7
6 JVNDB-2015-000141 Python for Windows may insecurely load dynamic libraries 6.8 2015/10/1
7 JVNDB-2015-001009 ssl3_get_key_exchange function in s3_clnt.c in OpenSSL vulnerable to RSA-to-EXPORT_RSA downgrade attacks (Japanese only) 4.3 2015/1/13
8 JVNDB-2015-000152 Cybozu Garoon vulnerable to LDAP injection 7.0 2015/10/7
9 JVNDB-2015-000153 Dojo Toolkit cross-site scripting vulnerability 4.3 2015/10/9
10 JVNDB-2015-000154 phpRechnung vulnerable to SQL injection 6.5 2015/10/9
11 JVNDB-2015-000160 Avast vulnerable to directory traversal 4.3 2015/10/16
12 JVNDB-2015-000149 gollum vulnerable to file exposure 4.3 2015/10/2
13 JVNDB-2015-000166 EC-CUBE cross-site request forgery vulnerability 5.1 2015/10/26
14 JVNDB-2014-000048 OpenSSL improper handling of Change Cipher Spec message 4.0 2014/6/6
15 JVNDB-2015-000148 Dotclear vulnerable to cross-site scripting 2.6 2015/10/2
16 JVNDB-2015-000159 Party Track SDK for iOS fails to verify server certificates 4.0 2015/10/14
17 JVNDB-2014-000096 Shutter vulnerable to cross-site scripting 2.6 2014/8/15
18 JVNDB-2014-004670 SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections (Japanese only) 4.3 2014/10/16
19 JVNDB-2015-000126 eXtplorer vulnerable to cross-site request forgery 5.1 2015/10/15
20 JVNDB-2015-000171 HTML::Scrubber vulnerable to cross-site scripting 2.6 2015/10/30

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic software developers. If using the vulnerable software, system administrators should apply security patches or updates to their system as soon as possible to mitigate damage.

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers [Oct. 2015 – Dec. 2015]
1 JVNDB-2015-006054 XML External Entity (XXE) Vulnerability in Hitachi Command Suite 5.0 2015/12/1
2 JVNDB-2015-006129 Multiple Cross-site Scripting Vulnerabilities in EUR 3.5 2015/12/9
3 JVNDB-2015-006130 Vulnerability in JP1/Automatic Job Management System 3 5.0 2015/12/9
4 JVNDB-2015-006527 Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration 4.3 2015/12/28
5 JVNDB-2014-002800 Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option 3.5 2014/6/11

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2013 and before Published in 2014 Published in 2015


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database: A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) Make backups regularly in case of ransomware infection (Japanese)

(*5) JPCERT/CC: Security Alert for Ransomware (Japanese)

(*6) What’s the true identity of .vvv virus? Spread of ransomware “CrypTesla” is limited (Japanese)

(*7) Blog of News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware

(*8) (Japanese)

(*9) MyJVN Version Checker (Japanese)

(*10) Support Migration from end-of-support Windows SQL Server 2005 – Continued use could pose security risks (Japanese)

(*11) How to Secure Your Websites (Japanese)

(*12) Hands-on vulnerability learning and experiencing tool “AppGoat” (Japanese)

(*13) Android Application Vulnerability Learning/Checking Tool “AnCoLe” (Japanese)

(*14) IPA Technical Watch - Daily Practice: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information. (Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)