Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 4th Quarter (Oct. - Dec.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2016 4th Quarter (Oct. - Dec.)]

February 24, 2017
IT Security Center

1. 2016 4th Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2016 4Q

~ JVN iPedia now stores 64,618 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2016 (October 1 to December 31, 2016) is shown in the table below. As of the end of December 2016, the total number of vulnerabilities stored in JVN iPedia is 64,618 (Table 1-1, Figure 1-1).

As for the English version, the total of 1,588 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 4th Quarter of 2016
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 1 cases 179 cases
JVN 117 cases 6,893 cases
NVD 1,453 cases 57,546 cases
Total 1,571 cases 64,618 cases
English Version Domestic Product Developers 1 cases 179 cases
JVN 71 cases 1,409 cases
Total 72 cases 1,588 cases

1-2. Hot Topic #1: Annual Trend in Vulnerability Severity - Looking Back at Security Alerts Issued in 2016

~ 95.7% of Adobe Flash Player and 83.3% of Adobe Reader Vulnerabilities were "Level III (High)" ~

In 2016, as in previous years, lots of critical vulnerabilities of popular software – those assessed as highly severe or exploited in cyberattacks - were disclosed. During the 4th quarter of 2016 alone, in October, highly severe vulnerabilities of Adobe Reader and Oracle JRE (such as CVE-2016-1089 and CVE-2016-5556) were published. If exploited, those vulnerabilities may allow an attacker to hijack the affected computer. In December, a vulnerability of Adobe Flash Player that had been exploited in zero-day attacks (CVE-2016-7892) was published.

When such critical vulnerabilities are disclosed, IPA issues security alerts. IPA released 51 security alerts in total in 2016, of which 15 were for Adobe Flash Player, 5 were for Adobe Reader and 5 were for Oracle JRE, making up about half of the total. Let’s take a look at the registration status of these three software often addressed in security alerts .

Figure 1-2-1, 1-2-2 and 1-2-3 show the number and severity (CVSSv2) of the vulnerabilities in Adobe Flash Player, Adobe Reader and Oracle JRE reported in 2016, respectively. As for Adobe Flash Player, Level III (High) vulnerabilities account for 95.7 percent - almost 100 percent – and even with Adobe Reader, it is over 80 percent. Figure 1-2-4 shows the yearly change in the number and severity of the vulnerabilities in Adobe Readers reported from 2012 to 2016.

The vulnerabilities reported in 2016 is notably large in number and about 1.7 times more than that in the previous year. The number of vulnerabilities assessed as level III (High) has been increasing in recent years and was 83 percent in 2016.

To keep using software with known vulnerabilities without applying security patches or updating to a fixed version will increase risk of suffering security breach through attacks that exploit unresolved vulnerabilities. Users of Adobe Flash Player, Adobe Reader and Oracle JRE should regularly check if updates are available, and if they are, update the software immediately. To facilitate and ensure timely update, IPA offers a cyber security alert service "icat" (*4) to system administrators. The service pushes released security alerts in real time.

Also, IPA offers a tool called "MyJVN Version Checker" (*5) to general IT users who use PC at home. By using the tool, the users can check if the applications installed on their PC are up to date. IPA encourages the use of MyJVN Version Checker as a routine vulnerability management task.

1-2. Hot Topic #2: Android OS Vulnerabilities in 2016

~ 508 Android vulnerabilities are disclosed in 2016 - 4.5 times more than that in 2015 ~

In October 2016, a Linux kernel vulnerability dubbed "Dirty Cow" (CVE-2016-5195) was disclosed. Since Android OS (hereafter referred to as "Android") uses Linux, all Android versions including the latest version at that time (Android 7.0 Nougat) might have been affected by the vulnerability, and moreover, loads of exploit code for the Dirty Cow were available at the time of the disclosure. The year 2016 saw lots of Android vulnerability disclosures.

Figure 1-3-1 shows the yearly change in the number and severity (CVSSv2) of the Android vulnerabilities reported from 2012 to 2016. Figure 1-3-2 shows those in 2016 alone.

From Figure 1-3-1, you can see the number of Android vulnerabilities reported in 2016 is 4.5 times more than that in 2015. 65.9 percent of them are Level III (High) vulnerabilities, which could cause potentially serious damage if exploited.

Users should be aware that vulnerabilities exist in things we are so casually using as well, such as smartphones and tablets, and need to update promptly when security updates are released.

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2016, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 4th quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 234 cases, followed by CWE-200 (Information Exposure) with 187, CWE-264 (Permissions, Privileges and Access Controls with 160, CWE-79 (Cross-Site Scripting) with 149, and CWE-20 (Improper Input Validation) with 109. CWE-119, the most reported vulnerability type this quarter, could allow an attacker to execute arbitrary code on the affected server/PC, causing various undesirable consequences, such as unauthorized access to and/or modification of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*6) and "Secure Programing Guide" (*7) for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.

As for those registered in 2016 (January 1 to December 31), 38.3 percent are level III ("High", CVSS Base Score = 7.0-10.0), 51.8 percent are level ll ("Medium", CVSS Base Score = 4.0-6.9), and 9.9 percent are level I ("Low", CVSS Base Score = 0.0-3.9). This means more than 90.1 percent of the vulnerabilities reported in 2016 are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.

To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*8) severity score since December 1, 2015.

2-3. Type of Software Reported for Having Vulnerability

Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been disclosed most, accounting for 72.4 percent of the 2016 total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of 2016/4Q, the total of 945 ICS vulnerabilities have been registered (Figure 2-4).

2-4. Product Reported with Vulnerabilities

Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2016. Ranked 1st is Android with 129 vulnerabilities. Other than Android, many Microsoft products, such as Windows 10, are also ranked in (in total 418 vulnerabilities were registered this quarter).

Besides operating systems and browsers that are often ranked in, JVN iPedia stores vulnerabilities about a variety of software used in business and at home. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*9).

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Oct. 2016 – Dec.2016]
RankCategoryProduct Name (Vendor) Number of
1 OS Android (Google) 129
2 PDF Viewer Adobe Reader (Adobe Systems) 75
2 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 75
2 PDF Viewer/Editor Adobe Acrobat DC (Adobe Systems) 75
2 PDF Viewer Adobe Acrobat Reader DC (Adobe Systems) 75
6 OS Microsoft Windows 10 (Microsoft) 60
7 OS Microsoft Windows 8.1 (Microsoft) 51
8 OS Microsoft Windows Server 2012 (Microsoft) 49
9 Script Language phpMyAdmin (The phpMyAdmin Project) 48
10 OS Microsoft Windows 7 (Microsoft) 46
11 OS Microsoft Windows RT 8.1 (Microsoft) 44
11 OS Microsoft Windows Server 2008 (Microsoft) 44
11 OS Microsoft Windows Vista (Microsoft) 44
14 Browser Microsoft Windows Edge (Microsoft) 41
15 Media Player Adobe Flash Player (Adobe Systems) 40
16 OS Microsoft Windows Server 2016 (Microsoft) 39
17 OS Linux Kernel ( 38
18 Emulator QEMU (Fabrice Bellard) 36
19 Browser W3m (w3m project) 31
20 Middleware MySQL (Oracle) 29

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2016 (October – December).

Ranked 1st is a vulnerability in Flexera InstallShield used to create installers. Ranked 2nd was Linux Dirty Cow vulnerability. Likely due to being picked up by news outlets, SetucoCMS vulnerabilities ranked 7th, 9th, 10th, 11th, 12th and 15th. SetucoCMS is end of support software, so users need to quit using it to avoid the harm that may result from the vulnerabilities.

Table 3-1. Top 20 Most Accessed Vulnerabilities in JVN iPedia [Oct. 2016 – Dec. 2016]
1 JVNDB-2016-001684 Flexera InstallShield Windows Setup Launcher Executable Issues (Japanese) 7.2 2016/3/14 6,176
2 JVNDB-2016-005596 Linux kernel race condition in mm/gup.c by leveraging incorrect handling of a copy-on-write (COW) feature (Japanese) 7.2 2016/10/25 5,723
3 JVNDB-2016-000211 Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries 6.8 2016/10/26 4,829
4 JVNDB-2016-000207 The installer of e-Tax Software may insecurely load Dynamic Link Libraries 6.8 2016/10/19 4,713
5 JVNDB-2016-000202 Usermin cross-site scripting vulnerabilities 2.6 2016/10/7 4,443
6 JVNDB-2016-004511 DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (Japanese) 5.0 2016/9/2 4,386
7 JVNDB-2016-000196 SetucoCMS vulnerable to cross-site request forgery 4.0 2016/10/7 4,236
8 JVNDB-2016-000195 Cryptography API: Next Generation (CNG) vulnerable to denial-of-service (DoS) 4.3 2016/10/7 4,235
9 JVNDB-2016-000200 SetucoCMS vulnerable to code injection 6.5 2016/10/7 4,232
10 JVNDB-2016-000201 SetucoCMS vulnerable to session management 4.0 2016/10/7 4,180
11 JVNDB-2016-000197 SetucoCMS vulnerable to cross-site scripting 4.3 2016/10/7 4,174
12 JVNDB-2016-000198 SetucoCMS vulnerable to SQL injection 6.5 2016/10/7 4,076
13 JVNDB-2016-000215 Access restriction bypass vulnerability in WFS-SR01 7.5 2016/11/2 4,065
14 JVNDB-2016-000214 Command injection vulnerability in WFS-SR01 7.5 2016/11/2 4,042
15 JVNDB-2016-000199 SetucoCMS vulnerable to denial-of-service (DoS) 5.0 2016/10/7 3,994
16 JVNDB-2016-000212 The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries 6.8 2016/11/1 3,965
17 JVNDB-2016-000192 Cybozu Office vulnerable to denial-of-service (DoS) 6.8 2016/10/3 3,887
18 JVNDB-2016-000193 Cybozu Office vulnerable to Reflected File Download (RFD) 3.5 2016/10/3 3,677
19 JVNDB-2016-000210 SQL injection vulnerability in WordPress plugin WP-OliveCart 6.5 2016/10/20 3,649
20 JVNDB-2016-000168 Toshiba FlashAir does not require authentication in "Internet pass-thru Mode" 5.4 2016/9/27 3,550

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.

Table 3-2. Top 5 Most Accessed Vulnerabilities Reported by Domestic Developers [Oct. 2016 – Dec. 2016]
1 JVNDB-2016-005655 Vulnerabilities in JP1/IT Desktop Management 2 - Manager and JP1/NETM/DM 10.0 2016/11/1 3,434
2 JVNDB-2016-004496 Information Disclosure Vulnerability in Hitachi Automation Director and JP1/Automatic Operation 3.5 2016/9/2 1,135
3 JVNDB-2011-001632 Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol 4.3 2011/5/26 241
4 JVNDB-2007-001022 Apache UTF-7 Encoding Cross-Site Scripting Vulnerability 4.3 2007/12/25 221
5 JVNDB-2011-001633 Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory 5.1 2011/5/26 198

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2014 and before Published in 2015 Published in 2016


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database: A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) icat: As of December 2016, used by about 1,100 websites including companies, government agencies and educational institutions. (Japanese)

(*5) MyJVN Version Checker (Japanese)

(*6) How to Secure Your Websites (Japanese)

(*7) Secure Programing Guide (Japanese)

(*8) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced. (Japanese)

(*9) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information. (Japanese)

Past Quarterly Reports


IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)