HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 1st Quarter (Jan. - Mar.)]
June 9, 2017
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 67,485 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2017 (January 1 to March 31, 2017) is shown in the table below. As of the end of March 2017, the total number of vulnerabilities stored in JVN iPedia is 67,485 (Table 1-1, Figure 1-1). The boost in the number of vulnerabilities registered during this quarter came from the increase in the number of vulnerabilities published by NVD. As shown in Table 1-1, the number of the NVD-based vulnerability information was 2,599. Compared to 1,453 of the 4th quarter of 2016, the number has raised more than 1,000.
As for the English version, the total of 1,636 vulnerabilities are available as shown in the lower half of the table.
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 1 cases | 180 cases |
| JVN | 267 cases | 7,160 cases | |
| NVD | 2,599 cases | 60,145 cases | |
| Total | 2,867 cases | 67,485 cases | |
| English Version | Domestic Product Developers | 1 cases | 180 cases |
| JVN | 47 cases | 1,456 cases | |
| Total | 48 cases | 1,636 cases |
~ "CVSS 10.0" Apache vulnerabilities continue to be reported: 1 this quarter, 3 out of 16 in FY2016 ~
In March 2017, an Apache Struts 2 (*4) vulnerability S2-045 was disclosed. If exploited, this vulnerability could allow remote attackers to execute arbitrary code on affected servers. Since communication traffic and damages likely caused by attacks exploiting this vulnerability were observed, IPA issued an emergency security alert (*5). Later on, security breaches of personal information due to this vulnerability were confirmed (*6), making it a high-profile vulnerability.
Table 1-2 is a list of Apache Struts 2 vulnerabilities registered to JVN iPedia in FY2016. There were 16 vulnerabilities and JVNDB-2017-001621 is the one mentioned above (S2-045). Its CVSSv2 score (the severity of a vulnerability) is 10.0, which is the highest among the "High" scores ("High" is classified as CVSSv2 Base Scores between 7.0 and 10.0). In FY2016, there were two more CVSSv2 10.0 vulnerabilities of Apache Struts 2 besides JVNDB-2017-001621. Such serious vulnerabilities may continue to be reported from time to time in FY2017.
| No | ID (CVE) | Title | CVSSv2 Base Score | Date Public |
|---|---|---|---|---|
| 1 | JVNDB-2017-001621 (CVE-2017-5638) |
Apache Struts 2 Arbitrary Code Execution Vulnerability (in Japanese only) | 10.0 | 2017/3/10 |
| 2 | JVNDB-2017-000012 (N/A) |
Java (OGNL) code execution in Apache Struts 2 when devMode is enabled | 6.8 | 2017/1/20 | 3 | JVNDB-2016-005078 (CVE-2016-4436) |
Apache Struts 2 Vulnerability (in Japanese only) | 7.5 | 2016/10/6 | 4 | JVNDB-2016-000121 (CVE-2016-3092) |
Apache Commons FileUpload vulnerable to denial-of-service (DoS) | 5.0 | 2016/6/30 | 5 | JVNDB-2016-000114 (CVE-2016-4465) |
Apache Struts vulnerable to denial-of-service (DoS) | 5.0 | 2016/6/20 | 6 | JVNDB-2016-000113 (CVE-2016-4431) |
Apache Struts vulnerable to input validation bypass | 6.8 | 2016/6/20 | 7 | JVNDB-2016-000112 (CVE-2016-4433) |
Apache Struts vulnerable to validation bypass in Getter method | 6.8 | 2016/6/20 | 8 | JVNDB-2016-000111 (CVE-2016-4430) |
Apache Struts vulnerable to cross-site request forgery | 4.3 | 2016/6/20 | 9 | JVNDB-2016-000110 (CVE-2016-4438) |
Apache Struts vulnerable to remote code execution Vulnerability | 6.8 | 2016/6/20 | 10 | JVNDB-2016-003041 (CVE-2016-3093) |
Apache Struts Denial of Service (DoS) Vulnerability (in Japanese only) | 5.0 | 2016/6/10 |
| 11 | JVNDB-2016-003040 (CVE-2016-3087) |
Apache Struts Arbitrary Code Execution Vulnerability (in Japanese only) | 7.5 | 2016/6/10 |
| 12 | JVNDB-2016-002406 (CVE-2016-3082) |
XSLTResult in Apache Struts Arbitrary Code Execution (in Japanese only) | 10.0 | 2016/5/6 |
| 13 | JVNDB-2016-002326 (CVE-2016-3081) |
Apache Struts 2 Arbitrary Code Execution Vulnerability (in Japanese only) | 9.3 | 2016/4/28 |
| 14 | JVNDB-2016-002076 (CVE-2016-2162) |
Apache Struts Cross-Site scripting Vulnerability (in Japanese only) | 4.3 | 2016/4/18 |
| 15 | JVNDB-2016-002075 (CVE-2016-0785) |
Apache Struts Arbitrary Code Execution Vulnerability (in Japanese only) | 10.0 | 2016/4/18 |
| 16 | JVNDB-2016-002004 (CVE-2016-4033) |
Cross-Site Scripting Vulnerability in JRE URLDecoder used in Apache Struts (in Japanese only) | 4.3 | 2016/4/13 |
Once uploaded to the Internet, websites are accessible from anywhere, anytime. Because of that nature, when vulnerability is found in widely-used web application frameworks like Apache Struts 2, websites developed with such frameworks are targeted by attackers and could fall victim to data breach. System operators and administrators should collect vulnerability information about the software they are using from information sources such as news media, vendor websites and vulnerability information portals (*7). By fixing disclosed vulnerabilities promptly, it is possible to prevent the attacks that try to exploit them.
~ Sixteen vulnerabilities this quarter. Increasing trend in the last three years ~
In February 2017, several vulnerabilities in WordPress, a popular content management system, were disclosed. If exploited, these vulnerabilities could allow remote attackers to tamper with web contents on affected servers. Since attack code was confirmed, IPA issued an emergency security alert (*8). After the vulnerabilities were disclosed, more than 60,000 websites were tampered with due to the public availability of attack code (*9). The victimized websites were those that had not updated their WordPress to the fixed version.
Figure 1-3 shows the quarterly number of WordPress vulnerabilities registered to JVN iPedia in the last 3 years, from April 2014 to March 2017. There are 70 vulnerabilities in 12 quarters (3 years) and 16 in the 1st quarter of 2017 alone. Although there are some declines on occasion, it shows an increasing trend overall. This trend may continue into the future.
If vulnerability in WordPress is exploited, website could be tampered with and arbitrary script or HTML may be inserted. The tampered websites may be abused to spread malware and the victims could be turned into attackers. Website operators should be aware of not only the WordPress version they are using but also what and which version of WordPress plugins they are using, and make sure to update them when the latest versions are released by developers.
Apache Struts 2 and WordPress addressed in the Hot Topics are both website-related software. From the looks of things in the 1st quarter, it seems damage of attacks expands when attack code that exploits website-related vulnerability is confirmed and abused.
When a serious vulnerability is disclosed, IPA issues an emergency security alert. The alerts can be received as soon as it is issued through the service called “icat for JSON (*10).
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 1st quarter of 2017, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 1st quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 400 cases, followed by CWE-200 (Information Exposure) with 327, CWE-284 (Improper Access Control) with 323 cases, CWE-79 Cross-Site Scripting) with 290, and CWE-264 (Permissions, Privileges and Access Controls with 243. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*11) and "Secure Programing Guide" (*12) for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.
As of March 2017, 39.5 percent are level III (“High”, CVSS Base Score = 7.0-10.0), 52.9 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.6 percent are level I (“Low”, CVSS Base Score = 0.0-3.9). This means 92.4 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*13) severity score since December 1, 2015 (*14).
Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 73.5 percent of the 2017 total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 1st quarter of 2017, the total of 1,022 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 1st quarter (January to March) of 2017. Ranked 1st is Linux Kernel with 210 vulnerabilities. Many operating systems and other software provided by popular vendors such as Microsoft, Apple and Oracle are ranked in.
Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in business and at home in Japan. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*15).
| Rank | Category | Product Name (Vendor) | Number of Vulnerabilities Registered |
|---|---|---|---|
| 1 | OS | Linux Kernel (kernel.org) | 210 |
| 2 | OS | Android (Google) | 159 |
| 3 | Enterprise Resource Management | Oracle E-Business Suite (Oracle) | 121 |
| 4 | OS | iOS (Apple) | 108 |
| 5 | OS | Apple Mac OS X (Apple) | 79 |
| 6 | OS | tvOS (Apple) | 78 |
| 7 | OS | Microsoft Windows Server 2008 (Microsoft) | 66 |
| 8 | OS | Microsoft Windows 7 (Microsoft) | 65 |
| 9 | Browser | Google Chrome (Google) | 63 |
| 10 | OS | Microsoft Windows Vista (Microsoft) | 57 |
| 11 | OS | Microsoft Windows Server 2016 (Microsoft) | 47 |
| 12 | OS | Microsoft Windows 10 (Microsoft) | 46 |
| 13 | OS | Debian GNU/Linux (Debian) | 45 |
| 14 | OS | watchOS (Apple) | 43 |
| 15 | OS | Microsoft Windows Server 2012 (Microsoft) | 42 |
| 15 | Browser | Safari (Apple) | 42 |
| 17 | Service Management | Oracle Advanced Outbound Telephony (Oracle) | 41 |
| 17 | Packet Capture | tcpdump (The Tcpdump Group) | 41 |
| 19 | OS | Microsoft Windows 8.1 (Microsoft) | 39 |
| 20 | Clock Synchronization | NTP (NTP Project) | 38 |
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 1st quarter of 2017 (January – March).
Apache Struts 2 are ranked 1st and 2nd, suggesting Apache Struts 2 vulnerabilities attracted a lot of attention. The 4rh one, SKYSEA Client View, is actually a vulnerability registered last quarter, but possibly because this software is widely used for asset management by various organizations, maybe there are system administrators and user still coming to see to deal with it. IPA issued emergency security alerts for Apache Struts 2 and SKYSEA Client View since attacks exploiting their vulnerabilities had been confirmed.
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.
| No | ID | Title | CVSSv2 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|
| 1 | JVNDB-2016-006450 | Vulnerability in JP1/Cm2/Network Node Manager i | 4.3 | 2017/1/4 | 1,885 |
| 2 | JVNDB-2016-005655 | Vulnerabilities in JP1/IT Desktop Management 2 - Manager and JP1/NETM/DM | 10.0 | 2016/11/1 | 835 |
| 3 | JVNDB-2011-001632 | Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol | 4.3 | 2011/5/26 | 227 |
| 4 | JVNDB-2007-001022 | Apache UTF-7 Encoding Cross-Site Scripting Vulnerability | 4.3 | 2007/12/25 | 227 |
| 5 | JVNDB-2011-001633 | Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory | 5.1 | 2011/5/26 | 206 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2015 and before | Published in 2016 | Published in 2017 |
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) An open-source software framework for developing Java web applications.
(*5) [Update] Emergency Security Alert for Apache Struts 2 Vulnerabilities (CVE-2017-5638)(S2-045)(S2-046)
https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html (in Japanese only)
(*6) Japan Housing Finance Agency: Unauthorized Access to Contractor GMO Payment Gateway Website and Possible Data Breach of Personal Information
http://www.jhf.go.jp/topics/topics_20170310_im.html (in Japanese only)
(*7) Apache Struts 2 Vulnerabilities
https://www.ipa.go.jp/security/announce/struts2_list.html (in Japanese only)
(*8) Emergency Security Alert for WordPress Vulnerabilities
https://www.ipa.go.jp/security/ciadr/vul/20170206-wordpress.html (in Japanese only)
(*9) Cyberattacks exploiting WordPress vulnerabilities on the raise - More than 6 million websites hacked
http://www.itmedia.co.jp/enterprise/articles/1702/09/news064.html (in Japanese only)
(*10) A security information service that displays IPA security alerts in one’s website in real-time. Used by more than 1,000 websites including companies, government agencies and educational institutions.
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)
(*11) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )
(*12) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)
(*13) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced.
https://www.first.org/cvss/specification-document
https://www.ipa.go.jp/security/vuln/CVSSv3.html (in Japanese only)
(*14) IPA has started to add CVSSv3 score to JVN iPedia
https://www.ipa.go.jp/security/vuln/SeverityLevel3.html (in Japanese only)
(*15) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
