May 30, 2016
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ Total of 59,547 vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2016 (January 1 to March 31, 2016) is shown in the table below. As of the end of March 2016, the total number of vulnerabilities stored in JVN iPedia is 59,547 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,372 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||174 cases|
|JVN||215 cases||6,292 cases|
|NVD||1,236 cases||53,081 cases|
|Total||1,453 cases||59,547 cases|
|English Version||Domestic Product Developers||2 cases||174 cases|
|JVN||33 cases||1,198 cases|
|Total||35 cases||1,372 cases|
~ 4 out of 10 vulnerabilities disclosed during this quarter are rated the severest "level III" ~
In March 2016, a vulnerability called "DROWN" (*4) that allows an attacker to break encrypted communications was disclosed. It is an SSLv2 protocol vulnerability, and if exploited, an attacker could decrypt communications encrypted by servers that still support SSLv2. According to disclosed vulnerability information, the vulnerability would affect 33 percent of all HTTPS servers, making it a center of attention of the public.
OpenSSL is one of the software that uses SSLv2 and widely adopted by servers and routers. From January to March 2016 alone, 11 OpenSSL vulnerabilities, including DROWN (*5), have been registered to JVN Ipedia (Table 1-2).
Looking at the CVSSv2 Base Score (a numeric value that indicates the severity of vulnerability) of the said 11 vulnerabilities, 4 vulnerabilities are labeled as the severest (CVSSv2 Base Score 7.0 – 10.0). It suggests that multiple highly dangerous vulnerabilities have been found besides DROWN. If these vulnerabilities are exploited, serious damage could be inflicted, such as disclosure and/or alteration of confidential data, or disruption of services.
|No||ID (CVE)||Title||Date Public||CVSS v2|
|Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL||2016/3/1||10.0|
|Denial of service (DoS) vulnerability in the fmtstr function in crypto/bio/b_print.c in OpenSSL||2016/3/1||10.0|
|Integer overflow vulnerability in the doapr_outch function in crypto/bio/b_print.c in OpenSSL||2016/3/1||10.0|
|Denial of service (DoS) vulnerability in the SRP_VBASE_get_by_user implementation in OpenSSL||2016/3/1||7.8|
|OpenSSL integer overflow vulnerability||2016/3/1||5.0|
|Vulnerability in ssl/s2_srvr.c in OpenSSL allows an attacker to defeat cryptographic protection mechanism||2015/12/31||4.3|
|Vulnerability in SSLv2 allows an attacker to decrypt TLS ciphertext data (aka DROWN)||2016/3/1||4.3|
|Vulnerability in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL allows an attacker to determine the MASTER-KEY value||2016/3/1||4.3|
|Vulnerability in an Oracle protection mechanism in s2_srvr.c in the SSLv2 implementation in OpenSSL allows an attacker to decrypt TLS ciphertext data||2016/3/1||4.3|
|Vulnerability in the DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL allows an attacker to discover a private DH exponent||2016/1/28||2.6|
|Vulnerability in the MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL allows an attacker to discover RSA keys||2016/3/1||1.9|
OpenSSL is widely used by or embedded in various products to encrypt files and/or communications. To mitigate attacks that try to exploit vulnerability and prevent harm, it is critical for system administrators and operators to daily collect the latest vulnerability information on the software they use and update it to a fixed version when vulnerability is discovered. There is a possibility that OpenSSL is embedded in some products but the users are not aware of it. Ask product vendors whether their products are using OpenSSL, and if they are, those products need to be updated as well.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 1st quarter of 2016, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 1st quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 261 cases, followed by CWE-200 (Information Exposure) with 151, CWE-20 (Improper Input Validation) with 126 cases, CWE-79 (Cross-Site Scripting) with 123, CWE-264 (Permissions, Privileges and Access Controls with 120 cases. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected servers or PCs, causing various undesirable consequences, such as unauthorized access to and/or alteration of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*6) for website developers and operators to create a secure website and "AppGoat" (*7) to help learn and understand vulnerability through hands-on practice and exercise.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of March 2015, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.6 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.3 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of about 93 percent of the known vulnerabilities is level II or higher, which is critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 severity score since December 1, 2015.
Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 77.4 percent of the total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/1Q, the total of 815 ICS vulnerabilities has been registered (Figure 2-4).
Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 1st quarter (January to March) of 2016. As shown below, 8 out of 20 are operating systems and 5, including the 1st, are browsers. Operating systems and browsers account for more than half of top 20 with a number of vulnerabilities.
Developers and users should promptly obtain vulnerability information about the software they are using and take action timely (*8).
|Rank||Category||Product Name (Vendor)|| Number of|
|1||Browser||Google Chrome (Google)||117|
|2||OS||Microsoft Windows Server 2012 (Microsoft)||77|
|3||OS||Microsoft Windows 10 (Microsoft)||76|
|4||Business Integration Package||Oracle E-Business Suite (Oracle)||75|
|4||OS||Microsoft Windows 8.1 (Microsoft)||75|
|6||Media Player||Adobe Flash Player (Adobe Systems)||74|
|6||Execution Environment||Adobe AIR (Adobe Systems)||74|
|6||Development Environment||Adobe AIR SDK & Compiler (Adobe Systems)||74|
|6||Development Environment||Adobe AIR SDK (Adobe Systems)||74|
|10||Browser||Mozilla Firefox (Mozilla Foundation)||60|
|11||Browser||Microsoft Internet Explorer (Microsoft)||58|
|12||OS||Microsoft Windows RT 8.1 (Microsoft)||57|
|13||OS||Apple Mac OS X (Apple)||55|
|14||Browser||Microsoft Edge (Microsoft)||48|
|16||Network Analyzer||Wireshark (Wireshark)||45|
|18||Browser||Mozilla Firefox ESR (Mozilla Foundation)||34|
|20||OS||Microsoft Windows 7 (Microsoft)||30|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 1st quarter of 2016 (January – March).
The 1st is a F5 BIG-IP vulnerability. It has gathered a lot of attention probably because it is widely used by websites. The 2nd is a glibc vulnerability and has had a high access count likely due to being addressed by blogs and news sites. As for the Java vulnerabilities (ranked 10th and 20th), IPA has issued a security alert (*9) since Java is a particularly popular software and the damage of exploitation could be huge.
|1||JVNDB-2015-006773||AOM password sync vulnerability in multiple F5 BIG-IP products (Japanese)||10.0||2016/1/15|
|2||JVNDB-2016-001419||glibc buffer overflow vulnerability (Japanese)||6.8||2016/2/18|
|3||JVNDB-2016-001382||Cisco Adaptive Security Appliance (ASA) Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (Japanese)||10.0||2016/2/12|
|4||JVNDB-2014-008022||Arbitrary code execution vulnerability in HP Easy Deploy used by multiple HP Thin Client devices (Japanese)||10.0||2015/4/16|
|5||JVNDB-2016-000001||DX Library vulnerable to buffer overflow||6.8||2016/1/5|
|6||JVNDB-2015-006768||Buffer overflow vulnerability in the pcnet_receive function in hw/net/pcnet.c in QEMU (Japanese)||6.8||2016/1/15|
|7||JVNDB-2014-004670||SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections (Japanese)||4.3||2014/10/16|
|8||JVNDB-2016-000015||EXPRESSCLUSTER X vulnerable to directory traversal||7.8||2016/1/29|
|9||JVNDB-2016-000012||HOME SPOT CUBE vulnerable to OS command injection||5.2||2016/1/27|
|10||JVNDB-2016-001070||AWT-related vulnerability in multiple Oracle Java products (Japanese)||10.0||2016/1/20|
|11||JVNDB-2016-000006||Multiple Buffalo network devices vulnerable to cross-site scripting||4.3||2016/1/22|
|12||JVNDB-2016-000017||JOB-CUBE vulnerable to cross-site scripting||4.0||2016/1/29|
|13||JVNDB-2016-000003||H2O vulnerable to HTTP header injection||4.3||2016/1/15|
|14||VNDB-2015-000201||CG-WLBARGS does not properly perform authentication||10.0||2015/12/25|
|15||JVNDB-2016-000029||LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)||4.0||2016/2/19|
|16||JVNDB-2015-000203||CG-WLNCM4G may behave as an open resolver||5.0||2015/12/25|
|17||JVNDB-2014-000048||OpenSSL improper handling of Change Cipher Spec message||4.0||2014/6/6|
|18||JVNDB-2016-000016||Vine MV vulnerable to cross-site scripting||4.3||2016/1/29|
|19||JVNDB-2016-000011||HOME SPOT CUBE vulnerable to clickjacking||2.6||2016/1/27|
|20||JVNDB-2016-001071||2D-related vulnerability in Oracle Java SE and Java SE Embedded (Japanese)||10.0||2016/1/20|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update to their system as soon as possible to prevent damage.
|1||JVNDB-2015-006527||Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration||3.5||2015/12/28|
|2||JVNDB-2015-006129||Multiple Cross-site Scripting Vulnerabilities in EUR||3.5||2015/12/9|
|3||JVNDB-2015-006130||Vulnerability in JP1/Automatic Job Management System 3||5.0||2015/12/9|
|4||JVNDB-2015-006054||XML External Entity (XXE) Vulnerability in Hitachi Command Suite||5.0||2015/12/1|
|5||JVNDB-2016-001472||Remote File Inclusion Vulnerability in Hitachi Command Suite||10.0||2016/2/24|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2014 and before||Published in 2015||Published in 2016|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) The DROWN Attack
(*5) Vulnerability in SSLv2 allows an attacker to decrypt TLS ciphertext data (aka DROWN)
(*6) How to Secure Your Websites
(*7) Hands-on vulnerability learning and exercising tool "AppGoat"
(*8) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
(*9) Security Alert on Oracle Java Vulnerabilities (CVE-2016-0494 and others)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)