November 11, 2016
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 63,047 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2016 (July 1 to September 30, 2016) is shown in the table below. As of the end of September 2016, the total number of vulnerabilities stored in JVN iPedia is 63,047 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,516 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||2 cases||178 cases|
|JVN||278 cases||6,776 cases|
|NVD||1,458 cases||56,093 cases|
|Total||1,738 cases||63,047 cases|
|English Version||Domestic Product Developers||2 cases||178 cases|
|JVN||56 cases||1,338 cases|
|Total||58 cases||1,516 cases|
~ Attacks exploiting three Apple iOS vulnerabilities have been observed ~
In August, Apple Inc. disclosed vulnerabilities in iOS - OS for its iPhone and iPad. Because attacks targeting those vulnerabilities had already been confirmed by a security vendor at the time of their disclosure (*4), IPA issued an emergency security alert (*5) in case that damage spread with time. The attacks exploited three iOS vulnerabilities and if an unpatched smartphone accesses a malicious web page prepared by attackers, information, such as call history and SMS messages, may be exposed.
Table 1-2 shows the said three vulnerabilities. The severity of CVE-2016-4657 (No.3) has been evaluated as “Level II (Medium)”, but by using attacks against this vulnerability as a stepping stone, the “Level III (High)“ vulnerabilities CVE-2016-4655 (No.1) and CVE-2016-4656 (No.2) could be exploited, leading to more severe damage. If an affected device is infected with malware due to the vulnerabilities, OS update alone will not correct the problem(s) and some security software will be required to clean it up (*6).
|Apple iOS Kernel Memory Disclosure||7.1|
|Apple iOS Kernel Arbitrary Code Execution in Privileged Context||9.3|
|Apple iOS Webkit Arbitrary Code Execution Vulnerability||6.8|
Smartphones are used for various purposes like making phone calls, accessing the Internet and fining locations using GPS coordinates, and with them, collect a lot of sensitive information like phone numbers, call history and location information. For that, if data stored in a smartphone are stolen or it is hijacked, the owner may suffer serious damage.
To use a smartphone safely, when the smartphone OS is updated, the owner should update it promptly. Also, when smartphone applications installed to his or her smartphone are updated, update them swiftly as well. Moreover, to reduce the risk of malware infection, taking additional security measures, such as using antivirus software, is also important.
~ Most severe “Level III (High)” vulnerabilities found in Symantec security software ~
In late June, security software vendor Symantec Corporation disclosed vulnerability information on their products. Because exploit code for those vulnerabilities had been available on the Internet making conducting attacks easier, IPA determined the possibility of exploitation of them would be very high and issued an emergency security alert in July (*7).
Table 1-3 lists the Level III (High) vulnerabilities among a series of Symantec vulnerabilities released by the vendor and registered to JVN iPedia. If exploited, they could cause various undesirable consequences, such as the abnormal end of application programs or computer hijacking. Note that for some enterprise products, users need to install the latest version AND run the update feature like LiveUpdate. For the details on how to update, check the vendor-provided information (*8).
|Decompression memory access violation vulnerability in Multiple Symantec Products||10.0|
|Dec2SS buffer overflow vulnerability in Multiple Symantec Products||9.0|
|Dec2LHA buffer overflow vulnerability in Multiple Symantec Products||9.0||4||JVNDB-2016-003444
|CAB decompression memory corruption vulnerability in Multiple Symantec Products||9.3||5||JVNDB-2016-003445
|MIME message modification memory corruption vulnerability in Multiple Symantec Products||10.0||6||JVNDB-2016-003446
|TNEF integer overflow vulnerability in Multiple Symantec Products||10.0||7||JVNDB-2016-003447
|ZIP decompression memory access violation vulnerability in Multiple Symantec Products||10.0|
Normally, security software is there to protect a computer from threats such as malware. There are cases, however, where vulnerability is found in such security software and becomes a cause of exploitation.
Users should be aware that security software is susceptible to vulnerability just like any other software, and update it promptly when software security vendors released patches or updates for vulnerability in their products.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2016, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 327 cases, followed by CWE-200 (Information Exposure) with 189, CWE-264 (Permissions, Privileges and Access Controls with 187, CWE-20 (Improper Input Validation) with 133 and CWE-79 (Cross-Site Scripting) with 113. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected server/PC, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*9) for website developers and operators to create a secure website and “AppGoat” (*10) to help learn and understand vulnerability through hands-on practice and exercise.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the year they were first published.
As of the end of September 2016, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.4 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 92.6 percent of the known vulnerabilities is level II or higher, which is critical enough to cause damage like information exposure or data modification. To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 severity score since December 1, 2015.
Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 70.4 percent of the 2016 total so far.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/3Q, the total of 918 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 3rd quarter (July to September) of 2016. Ranked 1st is Android with 231 vulnerabilities. They are those disclosed in their monthly security updates. Other than Android, many vulnerabilities in Microsoft operating systems, such as Windows 10, have been registered.
Besides browsers and operating systems, JVN iPedia stores vulnerabilities about a variety of software used in business and home. IPA hopes software users and developers will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*11).
|Rank||Category||Product Name (Vendor)|| Number of|
|2||Browser||Google Chrome (Google)||138|
|3||OS||Microsoft Windows 10 (Microsoft)||119|
|4||OS||Microsoft Windows Server 2012 (Microsoft)||113|
|4||OS||Microsoft Windows 8.1 (Microsoft)||113|
|6||OS||Microsoft Windows RT 8.1 (Microsoft)||97|
|7||OS||Apple Mac OS X (Apple)||91|
|9||Media Player||Adobe Flash Player (Adobe Systems)||78|
|11||Script Language||PHP (The PHP Group)||48|
|12||Browser||Mozilla Firefox (Mozilla Foundation)||44|
|13||PDF Viewer||Adobe Reader (Adobe Systems)||39|
|13||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||39|
|13||PDF Viewer/Editor||Adobe Acrobat DC (Adobe Systems)||39|
|13||PDF Viewer||Adobe Acrobat Reader DC (Adobe Systems)||39|
|19||Browser||Microsoft Internet Explorer (Microsoft)||37|
|20||OS||Linux Kernel (kerner.org)||35|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2016 (July – September).
Ranked 1st is a vulnerability in Apache Commons FileUpload. It is used by Apache Struts and Apache Tomcat, and a lot of other software might be affected as well. Apache Struts ranked 3rd, 5th, 13th and 14th, making vulnerability in web application development software a hot topic. The 4th and 10th are LINE vulnerabilities. If not using the latest version of LINE, users may end up with downloading malicious files via man-in-the-middle attacks or executing malicious programs.
|1||JVNDB-2016-000121||Apache Commons FileUpload vulnerable to denial-of-service (DoS)||5.0||2016/6/30|
|2||JVNDB-2016-000154||Multiple AKABEi SOFT2 LTD. games vulnerable to OS command injection||6.8||2016/8/31|
|3||JVNDB-2016-000112||Apache Struts vulnerable to validation bypass in Getter method||6.8||2016/6/20|
|4||JVNDB-2016-000123||LINE for Windows may insecurely load Dynamic Link Libraries||6.8||2016/7/8|
|5||JVNDB-2016-000096||Apache Struts 1 vulnerability that allows unintended remote operations against components on memory||6.8||2016/6/7|
|6||JVNDB-2016-000125||WordPress plugin "Nofollow Links" vulnerable to cross-site scripting||2.6||2016/7/20|
|7||JVNDB-2016-000126||Vtiger CRM does not properly restrict access to application data||5.5||2016/7/20|
|8||JVNDB-2016-002475||Arbitrary code execution vulnerability in the ASN.1 implementation in OpenSSL (Japanese)||10.0||2016/5/10|
|9||JVNDB-2016-004375||net/ipv4/tcp_input.c in Linux Kernel vulnerable to TCP session hijack (Japanese)||4.3||2016/8/18|
|10||JVNDB-2016-000153||LINE for Windows fails to properly verify downloaded files||5.1||2016/8/25|
|11||JVNDB-2016-004511||DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (Japanese)||5.0||2016/9/2|
|12||JVNDB-2016-000130||EC-CUBE plugin "Coupon Plugin" vulnerable to SQL injection||6.4||2016/7/22|
|13||JVNDB-2016-000097||Apache Struts 1 vulnerable to input validation bypass||5.8||2016/6/7|
|14||JVNDB-2016-000110||Apache Struts vulnerable to remote code execution||6.8||2016/6/20|
|15||JVNDB-2016-003304||OpenSSL Denial of Service (DoS) vulnerability (Japanese)||4.3||2016/6/22|
|16||JVNDB-2016-002474||Vulnerability in the AES-NI implementation in OpenSSL allows an attacker to obtain sensitive cleartext information (Japanese)||2.6||2016/5/10|
|17||JVNDB-2016-003802||Apache HTTP Server vulnerable to outbound HTTP traffic redirection to arbitrary proxy (Japanese)||5.1||2016/7/25|
|18||JVNDB-2016-000105||Multiple Hikari Denwa routers vulnerable to OS command injection||5.2||2016/6/27|
|19||JVNDB-2016-000106||Multiple Hikari Denwa routers vulnerable to cross-site request forgery||4.0||2016/6/27|
|20||JVNDB-2016-000152||simple chat vulnerable to cross-site scripting||4.3||2016/8/23|
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.
|1||JVNDB-2016-004496||Information Disclosure Vulnerability in Hitachi Automation Director and JP1/Automatic Operation||3.5||2016/9/2|
|2||JVNDB-2016-003527||Information Disclosure Vulnerability in Hitachi Command Suite||3.5||2016/7/13|
|3||JVNDB-2011-001632||Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol||4.3||2011/5/26|
|4||JVNDB-2016-002716||Cross-site Scripting Vulnerability in Hitachi Tuning Manager||4.3||2016/5/18|
|5||JVNDB-2016-002715||Information Disclosure Vulnerability in Hitachi Command Suite||3.5||2016/5/18|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2014 and before||Published in 2015||Published in 2016|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) 3 things CISOs need to know about the Trident iOS vulnerabilities
(*5) Emergency Security Alert for Apple iOS and OS X Vulnerabilities (CVE-2016-4655 and others)
(*6) Pegasus Spyware: Overview and What You Can Do
(*7) Emergency Security Alert for Symantec Products Vulnerabilities (CVE-2016-3647 and others)
(*8) Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Multiple Parsing Vulnerabilities
(*9) How to Secure Your Websites
(*10) Hands-on vulnerability learning and exercising tool "AppGoat"
(*11) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)