Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 1st Quarter (Jan. - Mar.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 1st Quarter (Jan. - Mar.)]

May 30, 2016
IT Security Center

1. 2016 1st Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2016 1Q

~ Total of 59,547 vulnerability information stored in JVN iPedia ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2016 (January 1 to March 31, 2016) is shown in the table below. As of the end of March 2016, the total number of vulnerabilities stored in JVN iPedia is 59,547 (Table 1-1, Figure 1-1).

As for the English version, the total of 1,372 vulnerabilities is available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 1st Quarter of 2016
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 2 cases 174 cases
JVN 215 cases 6,292 cases
NVD 1,236 cases 53,081 cases
Total 1,453 cases 59,547 cases
English Version Domestic Product Developers 2 cases 174 cases
JVN 33 cases 1,198 cases
Total 35 cases 1,372 cases

1-2. Hot Topic #1: OpenSSL Vulnerabilities

~ 4 out of 10 vulnerabilities disclosed during this quarter are rated the severest "level III" ~

In March 2016, a vulnerability called "DROWN" (*4) that allows an attacker to break encrypted communications was disclosed. It is an SSLv2 protocol vulnerability, and if exploited, an attacker could decrypt communications encrypted by servers that still support SSLv2. According to disclosed vulnerability information, the vulnerability would affect 33 percent of all HTTPS servers, making it a center of attention of the public.

OpenSSL is one of the software that uses SSLv2 and widely adopted by servers and routers. From January to March 2016 alone, 11 OpenSSL vulnerabilities, including DROWN (*5), have been registered to JVN Ipedia (Table 1-2).

Looking at the CVSSv2 Base Score (a numeric value that indicates the severity of vulnerability) of the said 11 vulnerabilities, 4 vulnerabilities are labeled as the severest (CVSSv2 Base Score 7.0 – 10.0). It suggests that multiple highly dangerous vulnerabilities have been found besides DROWN. If these vulnerabilities are exploited, serious damage could be inflicted, such as disclosure and/or alteration of confidential data, or disruption of services.

Table 1-2. OpenSSL Vulnerabilities Registered to JVN iPedia (January 2016 - March 2016)
NoID (CVE)TitleDate PublicCVSS v2
Base Score
1 JVNDB-2016-001613
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 2016/3/1 10.0
2 JVNDB-2016-001616
Denial of service (DoS) vulnerability in the fmtstr function in crypto/bio/b_print.c in OpenSSL 2016/3/1 10.0
3 JVNDB-2016-001617
Integer overflow vulnerability in the doapr_outch function in crypto/bio/b_print.c in OpenSSL 2016/3/1 10.0
4 JVNDB-2016-001615
Denial of service (DoS) vulnerability in the SRP_VBASE_get_by_user implementation in OpenSSL 2016/3/1 7.8
5 JVNDB-2016-001614
OpenSSL integer overflow vulnerability 2016/3/1 5.0
6 JVNDB-2015-006985
Vulnerability in ssl/s2_srvr.c in OpenSSL allows an attacker to defeat cryptographic protection mechanism 2015/12/31 4.3
7 JVNDB-2016-001554
Vulnerability in SSLv2 allows an attacker to decrypt TLS ciphertext data (aka DROWN) 2016/3/1 4.3
8 JVNDB-2016-001637
Vulnerability in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL allows an attacker to determine the MASTER-KEY value 2016/3/1 4.3
9 JVNDB-2016-001693
Vulnerability in an Oracle protection mechanism in s2_srvr.c in the SSLv2 implementation in OpenSSL allows an attacker to decrypt TLS ciphertext data 2016/3/1 4.3
10 JVNDB-2016-001692
Vulnerability in the DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL allows an attacker to discover a private DH exponent 2016/1/28 2.6
11 JVNDB-2016-001612
Vulnerability in the MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL allows an attacker to discover RSA keys 2016/3/1 1.9

OpenSSL is widely used by or embedded in various products to encrypt files and/or communications. To mitigate attacks that try to exploit vulnerability and prevent harm, it is critical for system administrators and operators to daily collect the latest vulnerability information on the software they use and update it to a fixed version when vulnerability is discovered. There is a possibility that OpenSSL is embedded in some products but the users are not aware of it. Ask product vendors whether their products are using OpenSSL, and if they are, those products need to be updated as well.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 1st quarter of 2016, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 1st quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 261 cases, followed by CWE-200 (Information Exposure) with 151, CWE-20 (Improper Input Validation) with 126 cases, CWE-79 (Cross-Site Scripting) with 123, CWE-264 (Permissions, Privileges and Access Controls with 120 cases. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected servers or PCs, causing various undesirable consequences, such as unauthorized access to and/or alteration of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*6) for website developers and operators to create a secure website and "AppGoat" (*7) to help learn and understand vulnerability through hands-on practice and exercise.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.

As of the end of March 2015, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.6 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.3 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of about 93 percent of the known vulnerabilities is level II or higher, which is critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 severity score since December 1, 2015.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 77.4 percent of the total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/1Q, the total of 815 ICS vulnerabilities has been registered (Figure 2-4).

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 1st quarter (January to March) of 2016. As shown below, 8 out of 20 are operating systems and 5, including the 1st, are browsers. Operating systems and browsers account for more than half of top 20 with a number of vulnerabilities.

Developers and users should promptly obtain vulnerability information about the software they are using and take action timely (*8).

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Jan. 2016 – Mar.2016]
RankCategoryProduct Name (Vendor) Number of
1 Browser Google Chrome (Google) 117
2 OS Microsoft Windows Server 2012 (Microsoft) 77
3 OS Microsoft Windows 10 (Microsoft) 76
4 Business Integration Package Oracle E-Business Suite (Oracle) 75
4 OS Microsoft Windows 8.1 (Microsoft) 75
6 Media Player Adobe Flash Player (Adobe Systems) 74
6 Execution Environment Adobe AIR (Adobe Systems) 74
6 Development Environment Adobe AIR SDK & Compiler (Adobe Systems) 74
6 Development Environment Adobe AIR SDK (Adobe Systems) 74
10 Browser Mozilla Firefox (Mozilla Foundation) 60
11 Browser Microsoft Internet Explorer (Microsoft) 58
12 OS Microsoft Windows RT 8.1 (Microsoft) 57
13 OS Apple Mac OS X (Apple) 55
14 Browser Microsoft Edge (Microsoft) 48
15 OS iOS (Apple) 46
16 Network Analyzer Wireshark (Wireshark) 45
16 OS Android (Google) 45
18 Middleware MySQL (Oracle) 34
18 Browser Mozilla Firefox ESR (Mozilla Foundation) 34
20 OS Microsoft Windows 7 (Microsoft) 30

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 1st quarter of 2016 (January – March).

The 1st is a F5 BIG-IP vulnerability. It has gathered a lot of attention probably because it is widely used by websites. The 2nd is a glibc vulnerability and has had a high access count likely due to being addressed by blogs and news sites. As for the Java vulnerabilities (ranked 10th and 20th), IPA has issued a security alert (*9) since Java is a particularly popular software and the damage of exploitation could be huge.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2016 – Mar. 2016]
1 JVNDB-2015-006773 AOM password sync vulnerability in multiple F5 BIG-IP products (Japanese) 10.0 2016/1/15
2 JVNDB-2016-001419 glibc buffer overflow vulnerability (Japanese) 6.8 2016/2/18
3 JVNDB-2016-001382 Cisco Adaptive Security Appliance (ASA) Software IKEv1 and IKEv2 Buffer Overflow Vulnerability (Japanese) 10.0 2016/2/12
4 JVNDB-2014-008022 Arbitrary code execution vulnerability in HP Easy Deploy used by multiple HP Thin Client devices (Japanese) 10.0 2015/4/16
5 JVNDB-2016-000001 DX Library vulnerable to buffer overflow 6.8 2016/1/5
6 JVNDB-2015-006768 Buffer overflow vulnerability in the pcnet_receive function in hw/net/pcnet.c in QEMU (Japanese) 6.8 2016/1/15
7 JVNDB-2014-004670 SSL (including the implementation in OpenSSL) allows an attacker to calculate the plaintext of secure connections (Japanese) 4.3 2014/10/16
8 JVNDB-2016-000015 EXPRESSCLUSTER X vulnerable to directory traversal 7.8 2016/1/29
9 JVNDB-2016-000012 HOME SPOT CUBE vulnerable to OS command injection 5.2 2016/1/27
10 JVNDB-2016-001070 AWT-related vulnerability in multiple Oracle Java products (Japanese) 10.0 2016/1/20
11 JVNDB-2016-000006 Multiple Buffalo network devices vulnerable to cross-site scripting 4.3 2016/1/22
12 JVNDB-2016-000017 JOB-CUBE vulnerable to cross-site scripting 4.0 2016/1/29
13 JVNDB-2016-000003 H2O vulnerable to HTTP header injection 4.3 2016/1/15
14 VNDB-2015-000201 CG-WLBARGS does not properly perform authentication 10.0 2015/12/25
15 JVNDB-2016-000029 LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS) 4.0 2016/2/19
16 JVNDB-2015-000203 CG-WLNCM4G may behave as an open resolver 5.0 2015/12/25
17 JVNDB-2014-000048 OpenSSL improper handling of Change Cipher Spec message 4.0 2014/6/6
18 JVNDB-2016-000016 Vine MV vulnerable to cross-site scripting 4.3 2016/1/29
19 JVNDB-2016-000011 HOME SPOT CUBE vulnerable to clickjacking 2.6 2016/1/27
20 JVNDB-2016-001071 2D-related vulnerability in Oracle Java SE and Java SE Embedded (Japanese) 10.0 2016/1/20

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update to their system as soon as possible to prevent damage.

Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers
[Jan. 2016 – Mar. 2016]
1 JVNDB-2015-006527 Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration 3.5 2015/12/28
2 JVNDB-2015-006129 Multiple Cross-site Scripting Vulnerabilities in EUR 3.5 2015/12/9
3 JVNDB-2015-006130 Vulnerability in JP1/Automatic Job Management System 3 5.0 2015/12/9
4 JVNDB-2015-006054 XML External Entity (XXE) Vulnerability in Hitachi Command Suite 5.0 2015/12/1
5 JVNDB-2016-001472 Remote File Inclusion Vulnerability in Hitachi Command Suite 10.0 2016/2/24

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2014 and before Published in 2015 Published in 2016


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database: A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) The DROWN Attack

(*5) Vulnerability in SSLv2 allows an attacker to decrypt TLS ciphertext data (aka DROWN) (Japanese)

(*6) How to Secure Your Websites (Japanese)

(*7) Hands-on vulnerability learning and exercising tool "AppGoat" (Japanese)

(*8) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information. (Japanese)

(*9) Security Alert on Oracle Java Vulnerabilities (CVE-2016-0494 and others) (Japanese)



IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)