HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 2nd Quarter (Apr. - Jun.)]
Augst 28, 2017
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 70,996 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 2nd quarter of 2017 (April 1 to June 30, 2017) is shown in the table below. As of the end of June 2017, the total number of vulnerabilities stored in JVN iPedia is 70,996 (Table 1-1, Figure 1-1). Since the start of 2017, the number of vulnerabilities published by NVD has been on the rise. It was 2,687 last quarter, and 3,511 this quarter, increasing yet again.
As for the English version, the total of 1,728 vulnerabilities are available as shown in the lower half of the table.
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 3 cases | 183 cases |
| JVN | 310 cases | 7,470 cases | |
| NVD | 3,198 cases | 63,343 cases | |
| Total | 3,511 cases | 70,996 cases | |
| English Version | Domestic Product Developers | 3 cases | 183 cases |
| JVN | 89 cases | 1,545 cases | |
| Total | 92 cases | 1,728 cases |
~ More than eighty percent were serious enough to possibly result in service outage ~
In June 2017, several Japanese websites using a WordPress plug-in (*4) "WP Job Manager" were hacked by attackers who exploited a vulnerability in the plug-in. The vulnerability allowed attackers to upload image files without logging into the websites, resulting in website defacement. Since the similar incidents seemed imminent, IPA issued an emergency security alert (*5) for the plug-in users.
Table 1-2 is a list of WordPress plug-in vulnerabilities registered to JVN iPedia this quarter.
There were 37 vulnerabilities including JVNDB-2017-000139, for which IPA issued an above-mentioned security alert, and the severity of more than 8 present (30 vulnerabilities) were higher than Level II (CVSSv2 score 4.0 - 6.9). The severity means those vulnerabilities are serious enough to possibly result in service outage.
Figure 1-2 is a pie chart of CWEs appeared in Table 1-2 above.
As shown in the chart, cross-site scripting (CWE-79) accounts for 51.4 percent, followed by SQL injection (CWE-89) and path traversal (CWE-22) for 13.5 percent. SQL injection vulnerability, for example, could allow attackers to do malicious things including data modification, theft and/or leak.
WordPress vulnerabilities lie not only in the WordPress itself but also in its plug-ins and could just as well cause serious security incidents. The system operators and administrators who are responsible for systems using a content management system (CMS), such as WordPress, need to watch out for updates for the CMS software itself as well as for its plug-ins.
IPA issues emergency security alerts for vulnerabilities in widely-used software as necessary. The alerts can be received as soon as they are issued through the service called “icat for JSON (*6). System operators and administrators can check out those information services to help facilitate their mission to mitigate vulnerabilities.
~ Twenty-nine vulnerabilities reported this quarter – the highest number in the last three years ~
Through the Information Security Early Warning Partnership (*7), many DLL (*8) hijacking vulnerabilities were reported to IPA and registered to JVN iPedia this quarter. DLL hijacking is that when an application like installer or self-extracting archive is executed, the application loads a DLL file placed in the same directory as the application in preference to a legitimate DLL file located in the Window’s system directory. Some malware are observed to exploit such behavior of vulnerable applications to spread the infection (*9).
Figure 1-3 shows the quarterly changed in the number of DLL hijacking vulnerabilities registered to JVN iPedia from the 3rd quarter of 2014 to this quarter. The easiness to spot this vulnerability may have contributed to the sudden increase of the vulnerability reports.
Table 1-3 is a list of some DLL hijacking vulnerabilities registered to JVN iPedia this quarter. The severity of them are relatively high (CVSSv2 base score 6.8 falls under the severity level II), which means the effect of successful attacks could be potentially large.
Developers of installer builders and file compression/extraction tools, installers and self-extracting archives should take the following measures (*10) to protect users. Likewise, application users should take the following measures when executing an installer or self-extracting archive.
Make sure your software and/or tools contain no DLL hijack vulnerability.
When you find vulnerability information on the installer builders or file compression/extraction tool you are using, update it to the fixed version. Also, when you modify command execution, make sure that the commands in the legitimate and intended directory are executed.
Before executing an installer or self-extracting archive, make sure that there are no suspicious file in the same directory as the installer or self-extracting archive, or create a new directory and copy the installer or self-extracting archive there for execution. It is also strongly recommended that you do not execute an application downloaded from the Internet in the download directory. If you execute the installer or self-extracting archive in the download directory where a maliciously-crafted DLL file has been placed at some point in time, the installer or self-extracting archive may load the malicious-crafted DLL file when it is executed.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 2nd quarter of 2017, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 2nd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 559 cases, followed by CWE-284 (Improper Access Control) with 364 cases, CWE-264 (Permissions, Privileges and Access Controls with 316, CWE-200 (Information Exposure) with 302, CWE-79 Cross-Site Scripting) with 289. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*11) and "Secure Programing Guide" (*12) and "AppGoat" (*13), a hands-on venerability learning tool, for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.
As of June 2017, 39.1 percent are level III ("High", CVSS Base Score = 7.0-10.0), 53.2 percent are level ll ("Medium", CVSS Base Score = 4.0-6.9), and 7.7 percent are level I ("Low", CVSS Base Score = 0.0-3.9). This means 92.3 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*14) severity score since December 1, 2015 (*15).
Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 73.3 percent of the 2017 total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 2nd quarter of 2017, the total of 1,091 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 2nd quarter (April to June) of 2017. Ranked 1st is ImageMagick, an image processing software, with 151 vulnerabilities. The background being that NVD has published its vulnerabilities in bulk including those found before 2017 and not that a lot of ImageMagick vulnerabilities have been found this quarter. Many operating systems made the top 20 list. As seen in Table 2-1, popular vendors’ software, such as Microsoft's and Apple's, are ranked in.
Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in business and at home in Japan. IPA hopes software developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action in a timely manner (*16).
| Rank | Category | Product Name (Vendor) | Number of Vulnerabilities Registered |
|---|---|---|---|
| 1 | Image Processing | ImageMagick (ImageMagick) | 151 |
| 2 | OS | iOS (Apple) | 136 |
| 3 | OS | Linux Kernel (kernel.org) | 135 |
| 4 | OS | Android (Google) | 118 |
| 5 | OS | Microsoft Windows 10 (Microsoft) | 103 |
| 5 | OS | Microsoft Windows Server 2016 (Microsoft) | 103 |
| 7 | OS | Microsoft Windows Server 2012 (Microsoft) | 102 |
| 8 | OS | Apple Mac OS X (Apple) | 101 |
| 9 | OS | Microsoft Windows 8.1 (Microsoft) | 96 |
| 10 | OS | Microsoft Windows Server 2008 (Microsoft) | 90 |
| 11 | OS | tvOS (Apple) | 89 |
| 12 | OS | Microsoft Windows 7 (Microsoft) | 82 |
| 13 | OS | Microsoft Windows RT 8.1 (Microsoft) | 78 |
| 14 | Browser | Safari (Apple) | 70 |
| 15 | OS | watchOS (Apple) | 53 |
| 16 | Image Processing | AutoTrace (AutoTrace project) | 50 |
| 17 | PDF Viewer | Adobe Reader (Adobe Systems) | 49 |
| 17 | PDF Viewer/Editor | Adobe Acrobat (Adobe Systems) | 49 |
| 19 | OS | openSUSE Leap (openSUSE project) | 43 |
| 20 | Browser | Microsoft Edge (Microsoft) | 38 |
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 2nd quarter of 2017 (April – June).
An improper access control vulnerability in Intel Active Management Technology was ranked 1st and became a hot topic since the vulnerability could affect a large number of organizations if the technology was used on their servers, making system administrators scrambled to respond.
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers. If using vulnerable software, system administrators should apply security patches or update their system as soon as possible to prevent damage.
| No | ID | Title | CVSSv2 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|
| 1 | JVNDB-2016-006450 | Vulnerability in JP1/Cm2/Network Node Manager i | 4.3 | 2017/1/4 | 2,731 |
| 2 | JVNDB-2017-002225 | Cross-site Scripting Vulnerability in multiple Hitachi products | 4.3 | 2017/4/5 | 788 |
| 3 | JVNDB-2017-003108 | Multiple Vulnerabilities in Hitachi IT Operations Director and JP1/IT Desktop Management | 7.5 | 2017/5/16 | 657 |
| 4 | JVNDB-2011-001632 | Arbitrary Data Insertion Vulnerability in Hitachi Web Server SSL/TLS Protocol | 4.3 | 2011/5/26 | 254 |
| 5 | JVNDB-2007-001022 | Apache UTF-7 Encoding Cross-Site Scripting Vulnerability | 4.3 | 2007/12/25 | 245 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2015 and before | Published in 2016 | Published in 2017 |
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) Plug-in: a software component that adds a specific feature to an existing software.
(*5) JVN#56787058: Improper Access Control Vulnerability in WordPress Plug-In "WP Job Manager"
https://www.ipa.go.jp/security/ciadr/vul/20170615-jvn.html (in Japanese only)
(*6) A security information service that displays IPA security alerts in one’s website in real-time. Used by more than 1,000 websites including companies, government agencies and educational institutions.
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)
(*7) Information Security Early Warning Partnership Guideline
https://www.ipa.go.jp/security/ciadr/partnership_guide.html (in Japanese only)
(*8) DLL: an executable file that contains specific code and/or data that can be shared by many programs.
(*9) RedLeaves: Malware Built on Open Source RAT (2017-04-03)
https://www.jpcert.or.jp/magazine/acreport-redleaves.html (in Japanese only)
(*10) JVNTA#91240916: DLL Hijacking and Command Execution Vulnerability in Windows Applications
https://jvn.jp/ta/JVNTA91240916/ (in Japanese only)
(*11) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )
(*12) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)
(*13) AppGoat
https://www.ipa.go.jp/security/vuln/appgoat/ (in Japanese only)
(*14) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced.
https://www.first.org/cvss/specification-document
https://www.ipa.go.jp/security/vuln/CVSSv3.html (in Japanese only)
(*15) IPA has started to add CVSSv3 score to JVN iPedia
https://www.ipa.go.jp/security/vuln/SeverityLevel3.html (in Japanese only)
(*16) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
