Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 3rd Quarter (Jul. - Sep.)]

PRINT PAGE

IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 3rd Quarter (Jul. - Sep.)]

November 11, 2016
IT Security Center

1. 2016 3rd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2016 3Q

~ JVN iPedia now stores 63,047 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2016 (July 1 to September 30, 2016) is shown in the table below. As of the end of September 2016, the total number of vulnerabilities stored in JVN iPedia is 63,047 (Table 1-1, Figure 1-1).

As for the English version, the total of 1,516 vulnerabilities are available as shown in the lower half of the table.


Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2016
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 2 cases 178 cases
JVN 278 cases 6,776 cases
NVD 1,458 cases 56,093 cases
Total 1,738 cases 63,047 cases
English Version Domestic Product Developers 2 cases 178 cases
JVN 56 cases 1,338 cases
Total 58 cases 1,516 cases

1-2. Hot Topic #1: Smartphone OS Vulnerabilities

~ Attacks exploiting three Apple iOS vulnerabilities have been observed ~

In August, Apple Inc. disclosed vulnerabilities in iOS - OS for its iPhone and iPad. Because attacks targeting those vulnerabilities had already been confirmed by a security vendor at the time of their disclosure (*4), IPA issued an emergency security alert (*5) in case that damage spread with time. The attacks exploited three iOS vulnerabilities and if an unpatched smartphone accesses a malicious web page prepared by attackers, information, such as call history and SMS messages, may be exposed.

Table 1-2 shows the said three vulnerabilities. The severity of CVE-2016-4657 (No.3) has been evaluated as “Level II (Medium)”, but by using attacks against this vulnerability as a stepping stone, the “Level III (High)“ vulnerabilities CVE-2016-4655 (No.1) and CVE-2016-4656 (No.2) could be exploited, leading to more severe damage. If an affected device is infected with malware due to the vulnerabilities, OS update alone will not correct the problem(s) and some security software will be required to clean it up (*6).


Table 1-2. iOS vulnerabilities exploited in attacks
NoID (CVE)TitleSeverity
(CVSSv2)
1 JVNDB-2016-004455
(CVE-2016-4655)
Apple iOS Kernel Memory Disclosure 7.1
2 JVNDB-2016-004456
(CVE-2016-4656)
Apple iOS Kernel Arbitrary Code Execution in Privileged Context 9.3
3 JVNDB-2016-004457
(CVE-2016-4657)
Apple iOS Webkit Arbitrary Code Execution Vulnerability 6.8

Smartphones are used for various purposes like making phone calls, accessing the Internet and fining locations using GPS coordinates, and with them, collect a lot of sensitive information like phone numbers, call history and location information. For that, if data stored in a smartphone are stolen or it is hijacked, the owner may suffer serious damage.

To use a smartphone safely, when the smartphone OS is updated, the owner should update it promptly. Also, when smartphone applications installed to his or her smartphone are updated, update them swiftly as well. Moreover, to reduce the risk of malware infection, taking additional security measures, such as using antivirus software, is also important.

1-2. Hot Topic #2: Vulnerabilities in Security Software

~ Most severe “Level III (High)” vulnerabilities found in Symantec security software ~

In late June, security software vendor Symantec Corporation disclosed vulnerability information on their products. Because exploit code for those vulnerabilities had been available on the Internet making conducting attacks easier, IPA determined the possibility of exploitation of them would be very high and issued an emergency security alert in July (*7).

Table 1-3 lists the Level III (High) vulnerabilities among a series of Symantec vulnerabilities released by the vendor and registered to JVN iPedia. If exploited, they could cause various undesirable consequences, such as the abnormal end of application programs or computer hijacking. Note that for some enterprise products, users need to install the latest version AND run the update feature like LiveUpdate. For the details on how to update, check the vendor-provided information (*8).


Table 1-3. Symantec Security Software vulnerabilities exploited in attacks
NoID (CVE)TitleSeverity
(CVSSv2)
1 JVNDB-2016-003441
(CVE-2016-2207)
Decompression memory access violation vulnerability in Multiple Symantec Products 10.0
2 JVNDB-2016-003442
(CVE-2016-2209)
Dec2SS buffer overflow vulnerability in Multiple Symantec Products 9.0
3 JVNDB-2016-003443
(CVE-2016-2210)
Dec2LHA buffer overflow vulnerability in Multiple Symantec Products 9.0
4 JVNDB-2016-003444
(CVE-2016-2211)
CAB decompression memory corruption vulnerability in Multiple Symantec Products 9.3
5 JVNDB-2016-003445
(CVE-2016-3644)
MIME message modification memory corruption vulnerability in Multiple Symantec Products 10.0
6 JVNDB-2016-003446
(CVE-2016-3645)
TNEF integer overflow vulnerability in Multiple Symantec Products 10.0
7 JVNDB-2016-003447
(CVE-2016-3646)
ZIP decompression memory access violation vulnerability in Multiple Symantec Products 10.0

Normally, security software is there to protect a computer from threats such as malware. There are cases, however, where vulnerability is found in such security software and becomes a cause of exploitation.

Users should be aware that security software is susceptible to vulnerability just like any other software, and update it promptly when software security vendors released patches or updates for vulnerability in their products.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2016, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 327 cases, followed by CWE-200 (Information Exposure) with 189, CWE-264 (Permissions, Privileges and Access Controls with 187, CWE-20 (Improper Input Validation) with 133 and CWE-79 (Cross-Site Scripting) with 113. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected server/PC, causing various undesirable consequences, such as unauthorized access to and/or modification of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*9) for website developers and operators to create a secure website and “AppGoat” (*10) to help learn and understand vulnerability through hands-on practice and exercise.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the year they were first published.

As of the end of September 2016, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.5 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.4 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).

This means the severity of 92.6 percent of the known vulnerabilities is level II or higher, which is critical enough to cause damage like information exposure or data modification. To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 severity score since December 1, 2015.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 70.4 percent of the 2016 total so far.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/3Q, the total of 918 ICS vulnerabilities have been registered (Figure 2-4).

2-4. Product Reported

Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 3rd quarter (July to September) of 2016. Ranked 1st is Android with 231 vulnerabilities. They are those disclosed in their monthly security updates. Other than Android, many vulnerabilities in Microsoft operating systems, such as Windows 10, have been registered.

Besides browsers and operating systems, JVN iPedia stores vulnerabilities about a variety of software used in business and home. IPA hopes software users and developers will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*11).


Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Jul. 2016 – Sep.2016]
RankCategoryProduct Name (Vendor) Number of
Vulnerability
Registered
1 OS Android (Google) 231
2 Browser Google Chrome (Google) 138
3 OS Microsoft Windows 10 (Microsoft) 119
4 OS Microsoft Windows Server 2012 (Microsoft) 113
4 OS Microsoft Windows 8.1 (Microsoft) 113
6 OS Microsoft Windows RT 8.1 (Microsoft) 97
7 OS Apple Mac OS X (Apple) 91
8 OS iOS (Apple) 89
9 Media Player Adobe Flash Player (Adobe Systems) 78
10 OS tvOS (Apple) 59
11 Script Language PHP (The PHP Group) 48
12 Browser Mozilla Firefox (Mozilla Foundation) 44
13 PDF Viewer Adobe Reader (Adobe Systems) 39
13 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 39
13 PDF Viewer/Editor Adobe Acrobat DC (Adobe Systems) 39
13 PDF Viewer Adobe Acrobat Reader DC (Adobe Systems) 39
17 OS watchOS (Apple) 38
17 Browser Safari (Apple) 38
19 Browser Microsoft Internet Explorer (Microsoft) 37
20 OS Linux Kernel (kerner.org) 35

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2016 (July – September).

Ranked 1st is a vulnerability in Apache Commons FileUpload. It is used by Apache Struts and Apache Tomcat, and a lot of other software might be affected as well. Apache Struts ranked 3rd, 5th, 13th and 14th, making vulnerability in web application development software a hot topic. The 4th and 10th are LINE vulnerabilities. If not using the latest version of LINE, users may end up with downloading malicious files via man-in-the-middle attacks or executing malicious programs.


Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2016 – Sep. 2016]
NoIDTitleCVSS
Score
Date
Public
1 JVNDB-2016-000121 Apache Commons FileUpload vulnerable to denial-of-service (DoS) 5.0 2016/6/30
2 JVNDB-2016-000154 Multiple AKABEi SOFT2 LTD. games vulnerable to OS command injection 6.8 2016/8/31
3 JVNDB-2016-000112 Apache Struts vulnerable to validation bypass in Getter method 6.8 2016/6/20
4 JVNDB-2016-000123 LINE for Windows may insecurely load Dynamic Link Libraries 6.8 2016/7/8
5 JVNDB-2016-000096 Apache Struts 1 vulnerability that allows unintended remote operations against components on memory 6.8 2016/6/7
6 JVNDB-2016-000125 WordPress plugin "Nofollow Links" vulnerable to cross-site scripting 2.6 2016/7/20
7 JVNDB-2016-000126 Vtiger CRM does not properly restrict access to application data 5.5 2016/7/20
8 JVNDB-2016-002475 Arbitrary code execution vulnerability in the ASN.1 implementation in OpenSSL (Japanese) 10.0 2016/5/10
9 JVNDB-2016-004375 net/ipv4/tcp_input.c in Linux Kernel vulnerable to TCP session hijack (Japanese) 4.3 2016/8/18
10 JVNDB-2016-000153 LINE for Windows fails to properly verify downloaded files 5.1 2016/8/25
11 JVNDB-2016-004511 DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (Japanese) 5.0 2016/9/2
12 JVNDB-2016-000130 EC-CUBE plugin "Coupon Plugin" vulnerable to SQL injection 6.4 2016/7/22
13 JVNDB-2016-000097 Apache Struts 1 vulnerable to input validation bypass 5.8 2016/6/7
14 JVNDB-2016-000110 Apache Struts vulnerable to remote code execution 6.8 2016/6/20
15 JVNDB-2016-003304 OpenSSL Denial of Service (DoS) vulnerability (Japanese) 4.3 2016/6/22
16 JVNDB-2016-002474 Vulnerability in the AES-NI implementation in OpenSSL allows an attacker to obtain sensitive cleartext information (Japanese) 2.6 2016/5/10
17 JVNDB-2016-003802 Apache HTTP Server vulnerable to outbound HTTP traffic redirection to arbitrary proxy (Japanese) 5.1 2016/7/25
18 JVNDB-2016-000105 Multiple Hikari Denwa routers vulnerable to OS command injection 5.2 2016/6/27
19 JVNDB-2016-000106 Multiple Hikari Denwa routers vulnerable to cross-site request forgery 4.0 2016/6/27
20 JVNDB-2016-000152 simple chat vulnerable to cross-site scripting 4.3 2016/8/23

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.


Table 3-2. Top 5 Most Accessed Vulnerability Countermeasure Information Reported by Domestic Developers
[Jul. 2016 – Sep. 2016]
NoIDTitleCVSS
Score
Date
Public
1 JVNDB-2016-004496 Information Disclosure Vulnerability in Hitachi Automation Director and JP1/Automatic Operation 3.5 2016/9/2
2 JVNDB-2016-003527 Information Disclosure Vulnerability in Hitachi Command Suite 3.5 2016/7/13
3 JVNDB-2011-001632 Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol 4.3 2011/5/26
4 JVNDB-2016-002716 Cross-site Scripting Vulnerability in Hitachi Tuning Manager 4.3 2016/5/18
5 JVNDB-2016-002715 Information Disclosure Vulnerability in Hitachi Command Suite 3.5 2016/5/18

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2014 and before Published in 2015 Published in 2016

Footnotes

(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/

(*2) National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4) 3 things CISOs need to know about the Trident iOS vulnerabilities
https://blog.lookout.com/blog/2016/08/25/lookout-trident-pegasus-enterprise-discovery/

(*5) Emergency Security Alert for Apple iOS and OS X Vulnerabilities (CVE-2016-4655 and others)
https://www.ipa.go.jp/security/ciadr/vul/20160829-ios.html (Japanese)

(*6) Pegasus Spyware: Overview and What You Can Do
https://blog.lookout.com/jp/2016/09/08/pegasussummary/ (Japanese)

(*7) Emergency Security Alert for Symantec Products Vulnerabilities (CVE-2016-3647 and others)
https://www.ipa.go.jp/security/ciadr/vul/20160705-symantec.html (Japanese)

(*8) Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Multiple Parsing Vulnerabilities
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

(*9) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (Japanese)

(*10) Hands-on vulnerability learning and exercising tool "AppGoat"
https://www.ipa.go.jp/security/vuln/appgoat/index.html (Japanese)

(*11) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (Japanese)

Reference

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)