Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 1st Quarter (Jan. - Mar.)]

PRINT PAGE

IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 1st Quarter (Jan. - Mar.)]

June 9, 2017
IT Security Center

1. 2017 1st Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2017/1Q

~ JVN iPedia now stores 67,485 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2017 (January 1 to March 31, 2017) is shown in the table below. As of the end of March 2017, the total number of vulnerabilities stored in JVN iPedia is 67,485 (Table 1-1, Figure 1-1). The boost in the number of vulnerabilities registered during this quarter came from the increase in the number of vulnerabilities published by NVD. As shown in Table 1-1, the number of the NVD-based vulnerability information was 2,599. Compared to 1,453 of the 4th quarter of 2016, the number has raised more than 1,000.

As for the English version, the total of 1,636 vulnerabilities are available as shown in the lower half of the table.


Table 1-1. Registered Vulnerabilities in 1st Quarter of 2017
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 1 cases 180 cases
JVN 267 cases 7,160 cases
NVD 2,599 cases 60,145 cases
Total 2,867 cases 67,485 cases
English Version Domestic Product Developers 1 cases 180 cases
JVN 47 cases 1,456 cases
Total 48 cases 1,636 cases

1-2. Hot Topic #1: Apache Struts 2 Vulnerabilities

~ "CVSS 10.0" Apache vulnerabilities continue to be reported: 1 this quarter, 3 out of 16 in FY2016 ~

In March 2017, an Apache Struts 2 (*4) vulnerability S2-045 was disclosed. If exploited, this vulnerability could allow remote attackers to execute arbitrary code on affected servers. Since communication traffic and damages likely caused by attacks exploiting this vulnerability were observed, IPA issued an emergency security alert (*5). Later on, security breaches of personal information due to this vulnerability were confirmed (*6), making it a high-profile vulnerability.

Table 1-2 is a list of Apache Struts 2 vulnerabilities registered to JVN iPedia in FY2016. There were 16 vulnerabilities and JVNDB-2017-001621 is the one mentioned above (S2-045). Its CVSSv2 score (the severity of a vulnerability) is 10.0, which is the highest among the "High" scores ("High" is classified as CVSSv2 Base Scores between 7.0 and 10.0). In FY2016, there were two more CVSSv2 10.0 vulnerabilities of Apache Struts 2 besides JVNDB-2017-001621. Such serious vulnerabilities may continue to be reported from time to time in FY2017.

Table 1-2. Apache Struts 2 Vulnerabilities Registered to JVN iPedia from April 2016 to March 2017
NoID (CVE)TitleCVSSv2
Base Score
Date
Public
1 JVNDB-2017-001621
(CVE-2017-5638)
Apache Struts 2 Arbitrary Code Execution Vulnerability (in Japanese only) 10.0 2017/3/10
2 JVNDB-2017-000012
(N/A)
Java (OGNL) code execution in Apache Struts 2 when devMode is enabled 6.8 2017/1/20
3 JVNDB-2016-005078
(CVE-2016-4436)
Apache Struts 2 Vulnerability (in Japanese only) 7.5 2016/10/6
4 JVNDB-2016-000121
(CVE-2016-3092)
Apache Commons FileUpload vulnerable to denial-of-service (DoS) 5.0 2016/6/30
5 JVNDB-2016-000114
(CVE-2016-4465)
Apache Struts vulnerable to denial-of-service (DoS) 5.0 2016/6/20
6 JVNDB-2016-000113
(CVE-2016-4431)
Apache Struts vulnerable to input validation bypass 6.8 2016/6/20
7 JVNDB-2016-000112
(CVE-2016-4433)
Apache Struts vulnerable to validation bypass in Getter method 6.8 2016/6/20
8 JVNDB-2016-000111
(CVE-2016-4430)
Apache Struts vulnerable to cross-site request forgery 4.3 2016/6/20
9 JVNDB-2016-000110
(CVE-2016-4438)
Apache Struts vulnerable to remote code execution Vulnerability 6.8 2016/6/20
10 JVNDB-2016-003041
(CVE-2016-3093)
Apache Struts Denial of Service (DoS) Vulnerability (in Japanese only) 5.0 2016/6/10
11 JVNDB-2016-003040
(CVE-2016-3087)
Apache Struts Arbitrary Code Execution Vulnerability (in Japanese only) 7.5 2016/6/10
12 JVNDB-2016-002406
(CVE-2016-3082)
XSLTResult in Apache Struts Arbitrary Code Execution (in Japanese only) 10.0 2016/5/6
13 JVNDB-2016-002326
(CVE-2016-3081)
Apache Struts 2 Arbitrary Code Execution Vulnerability (in Japanese only) 9.3 2016/4/28
14 JVNDB-2016-002076
(CVE-2016-2162)
Apache Struts Cross-Site scripting Vulnerability (in Japanese only) 4.3 2016/4/18
15 JVNDB-2016-002075
(CVE-2016-0785)
Apache Struts Arbitrary Code Execution Vulnerability (in Japanese only) 10.0 2016/4/18
16 JVNDB-2016-002004
(CVE-2016-4033)
Cross-Site Scripting Vulnerability in JRE URLDecoder used in Apache Struts (in Japanese only) 4.3 2016/4/13

Once uploaded to the Internet, websites are accessible from anywhere, anytime. Because of that nature, when vulnerability is found in widely-used web application frameworks like Apache Struts 2, websites developed with such frameworks are targeted by attackers and could fall victim to data breach. System operators and administrators should collect vulnerability information about the software they are using from information sources such as news media, vendor websites and vulnerability information portals (*7). By fixing disclosed vulnerabilities promptly, it is possible to prevent the attacks that try to exploit them.

1-3. Hot Topic #2: WordPress Vulnerabilities

~ Sixteen vulnerabilities this quarter. Increasing trend in the last three years ~

In February 2017, several vulnerabilities in WordPress, a popular content management system, were disclosed. If exploited, these vulnerabilities could allow remote attackers to tamper with web contents on affected servers. Since attack code was confirmed, IPA issued an emergency security alert (*8). After the vulnerabilities were disclosed, more than 60,000 websites were tampered with due to the public availability of attack code (*9). The victimized websites were those that had not updated their WordPress to the fixed version.

Figure 1-3 shows the quarterly number of WordPress vulnerabilities registered to JVN iPedia in the last 3 years, from April 2014 to March 2017. There are 70 vulnerabilities in 12 quarters (3 years) and 16 in the 1st quarter of 2017 alone. Although there are some declines on occasion, it shows an increasing trend overall. This trend may continue into the future.

If vulnerability in WordPress is exploited, website could be tampered with and arbitrary script or HTML may be inserted. The tampered websites may be abused to spread malware and the victims could be turned into attackers. Website operators should be aware of not only the WordPress version they are using but also what and which version of WordPress plugins they are using, and make sure to update them when the latest versions are released by developers.

Apache Struts 2 and WordPress addressed in the Hot Topics are both website-related software. From the looks of things in the 1st quarter, it seems damage of attacks expands when attack code that exploits website-related vulnerability is confirmed and abused.

When a serious vulnerability is disclosed, IPA issues an emergency security alert. The alerts can be received as soon as it is issued through the service called “icat for JSON (*10).

2. Details on JVN iPedia Registered Data

2-1. Type of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 1st quarter of 2017, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 1st quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 400 cases, followed by CWE-200 (Information Exposure) with 327, CWE-284 (Improper Access Control) with 323 cases, CWE-79 Cross-Site Scripting) with 290, and CWE-264 (Permissions, Privileges and Access Controls with 243. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*11) and "Secure Programing Guide" (*12) for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.

As of March 2017, 39.5 percent are level III (“High”, CVSS Base Score = 7.0-10.0), 52.9 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.6 percent are level I (“Low”, CVSS Base Score = 0.0-3.9). This means 92.4 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.

To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*13) severity score since December 1, 2015 (*14).

2-3. Type of Software Reported with Vulnerability

Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 73.5 percent of the 2017 total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 1st quarter of 2017, the total of 1,022 ICS vulnerabilities have been registered (Figure 2-4).

2-4. Product Reported with Vulnerability

Table 2-4 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 1st quarter (January to March) of 2017. Ranked 1st is Linux Kernel with 210 vulnerabilities. Many operating systems and other software provided by popular vendors such as Microsoft, Apple and Oracle are ranked in.

Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in business and at home in Japan. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action timely (*15).


Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Jan. 2017 – Mar.2017]
RankCategoryProduct Name (Vendor) Number of
Vulnerabilities
Registered
1 OS Linux Kernel (kernel.org) 210
2 OS Android (Google) 159
3 Enterprise Resource Management Oracle E-Business Suite (Oracle) 121
4 OS iOS (Apple) 108
5 OS Apple Mac OS X (Apple) 79
6 OS tvOS (Apple) 78
7 OS Microsoft Windows Server 2008 (Microsoft) 66
8 OS Microsoft Windows 7 (Microsoft) 65
9 Browser Google Chrome (Google) 63
10 OS Microsoft Windows Vista (Microsoft) 57
11 OS Microsoft Windows Server 2016 (Microsoft) 47
12 OS Microsoft Windows 10 (Microsoft) 46
13 OS Debian GNU/Linux (Debian) 45
14 OS watchOS (Apple) 43
15 OS Microsoft Windows Server 2012 (Microsoft) 42
15 Browser Safari (Apple)
42
17 Service Management Oracle Advanced Outbound Telephony (Oracle) 41
17 Packet Capture tcpdump (The Tcpdump Group) 41
19 OS Microsoft Windows 8.1 (Microsoft) 39
20 Clock Synchronization NTP (NTP Project) 38

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 1st quarter of 2017 (January – March).

Apache Struts 2 are ranked 1st and 2nd, suggesting Apache Struts 2 vulnerabilities attracted a lot of attention. The 4rh one, SKYSEA Client View, is actually a vulnerability registered last quarter, but possibly because this software is widely used for asset management by various organizations, maybe there are system administrators and user still coming to see to deal with it. IPA issued emergency security alerts for Apache Struts 2 and SKYSEA Client View since attacks exploiting their vulnerabilities had been confirmed.


Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jan. 2017 – Mar. 2017]
NoIDTitleCVSSv2
Base
Score
Date
Public
Access
Count
1 JVNDB-2017-000012 Java (OGNL) code execution in Apache Struts 2 when devMode is enabled 6.8 2017/1/20 5,778
2 JVNDB-2017-001621 Apache Struts2 Arbitrary Code Execution Vulnerability (in Japanese only) 10.0 2017/3/10 5,432
3 JVNDB-2017-000003 Olive Diary DX vulnerable to cross-site scripting 4.3 2017/1/6 5,025
4 JVNDB-2016-000249 SKYSEA Client View vulnerable to arbitrary code execution 10.0 2016/12/22 4,989
5 JVNDB-2017-000002 WEB SCHEDULE vulnerable to cross-site scripting 4.3 2017/1/6 4,898
6 JVNDB-2017-000008 AttacheCase vulnerable to directory traversal 4.3 2017/1/16 4,658
7 JVNDB-2017-001054 Arbitrary file upload vulnerability in GigaCC OFFICE 5.5 2017/1/20 4,605
8 JVNDB-2017-000001 Olive Blog vulnerable to cross-site scripting 4.3 2017/1/6 4,561
9 JVNDB-2017-000013 Nessus vulnerable to cross-site scripting 4.3 2017/1/24 4,392
10 JVNDB-2017-000007 Cybozu Remote Service Manager fails to verify client certificates 4.9 2017/1/11 4,201
11 JVNDB-2017-001053 Mis-configuration of Apache Velocity template engine used to send emails in GigaCC OFFICE 6.0 2017/1/20 4,182
12 JVNDB-2017-000009 MaruUo Factory's multiple AttacheCase products vulnerable to directory traversal 4.3 2017/1/20 4,077
13 JVNDB-2016-004511 DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (in Japanese only) 5.0 2016/9/2 3,782
14 JVNDB-2017-000015 Norton Download Manager may insecurely load Dynamic Link Libraries 6.8 2017/2/10 3,677
15 JVNDB-2017-000011 Knowledge vulnerable to cross-site request forgery 4.0 2017/1/24 3,623
16 JVNDB-2016-000250 Wireshark for Windows issue where an arbitrary file may be deleted 4.0 2016/12/26 3,592
17 JVNDB-2016-000251 WinSparkle issue where registry value is not validated 4.0 2016/12/26 3,567
18 JVNDB-2017-000024 Self-Extracting Archives created by 7-ZIP32.DLL may insecurely load Dynamic Link Libraries 6.8 2017/2/17 3,545
19 JVNDB-2017-000010 smalruby-editor vulnerable to OS command injection 7.5 2017/1/24 3,398
20 JVNDB-2016-000247 BlueZ userland utilities vulnerable to buffer overflow 3.5 2016/12/22 3,355

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.


Table 3-2. Top 5 Most Accessed Vulnerabilities Reported by Domestic Developers [Jan. 2017 - Mar. 2017]
NoIDTitleCVSSv2
Base
Score
Date
Public
Access
Count
1 JVNDB-2016-006450 Vulnerability in JP1/Cm2/Network Node Manager i 4.3 2017/1/4 1,885
2 JVNDB-2016-005655 Vulnerabilities in JP1/IT Desktop Management 2 - Manager and JP1/NETM/DM 10.0 2016/11/1 835
3 JVNDB-2011-001632 Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol 4.3 2011/5/26 227
4 JVNDB-2007-001022 Apache UTF-7 Encoding Cross-Site Scripting Vulnerability 4.3 2007/12/25 227
5 JVNDB-2011-001633 Header Customization by Hitachi Web Server RequetHeader Directive Could Allow Attacker to Access Data Deleted from Memory 5.1 2011/5/26 206

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2015 and before Published in 2016 Published in 2017

Footnotes

(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/

(*2) National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/

(*4) An open-source software framework for developing Java web applications.

(*5) [Update] Emergency Security Alert for Apache Struts 2 Vulnerabilities (CVE-2017-5638)(S2-045)(S2-046)
https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html (in Japanese only)

(*6) Japan Housing Finance Agency: Unauthorized Access to Contractor GMO Payment Gateway Website and Possible Data Breach of Personal Information
http://www.jhf.go.jp/topics/topics_20170310_im.html (in Japanese only)

(*7) Apache Struts 2 Vulnerabilities
https://www.ipa.go.jp/security/announce/struts2_list.html (in Japanese only)

(*8) Emergency Security Alert for WordPress Vulnerabilities
https://www.ipa.go.jp/security/ciadr/vul/20170206-wordpress.html (in Japanese only)

(*9) Cyberattacks exploiting WordPress vulnerabilities on the raise - More than 6 million websites hacked
http://www.itmedia.co.jp/enterprise/articles/1702/09/news064.html (in Japanese only)

(*10) A security information service that displays IPA security alerts in one’s website in real-time. Used by more than 1,000 websites including companies, government agencies and educational institutions.
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)

(*11) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )

(*12) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)

(*13) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced.
https://www.first.org/cvss/specification-document
https://www.ipa.go.jp/security/vuln/CVSSv3.html (in Japanese only)

(*14) IPA has started to add CVSSv3 score to JVN iPedia
https://www.ipa.go.jp/security/vuln/SeverityLevel3.html (in Japanese only)

(*15) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)

Past Quarterly Reports

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)