Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 3rd Quarter (Jul. - Sep.)]


IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 3rd Quarter (Jul. - Sep.)]

November 30, 2017
IT Security Center

1. 2017 3rd Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia ( is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2017/3Q

~ JVN iPedia now stores 74,691 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2017 (July 1 to September 30, 2017) is shown in the table below. As of the end of September 2017, the total number of vulnerabilities stored in JVN iPedia is 74,691 (Table 1-1, Figure 1-1). Since the start of 2017, the number of vulnerabilities published by NVD has been on the rise. This quarter, it is 3,695, which is more than double of that of the last quarter, 1,738.

As for the English version, the total of 1,797 vulnerabilities are available as shown in the lower half of the table.

Table 1-1. Registered Vulnerabilities in 3rd Quarter of 2017
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 3 cases 186 cases
JVN 181 cases 7,651 cases
NVD 3,511 cases 66,854 cases
Total 3,695 cases 74,691 cases
English Version Domestic Product Developers 3 cases 186 cases
JVN 66 cases 1,611 cases
Total 69 cases 1,797 cases

1-2. Hot Topic #1: Bluetooth "BlueBorne" Vulnerabilities

~ Four of eight Blueborne vulnerabilities are assessed "High" severity. Update now! ~

In September 2017, a foreign security vendor (*4) disclosed the "Blueborne" vulnerabilities in Bluetooth (*5). They are a set of vulnerabilities in the implementation of Bluetooth, which is widely supported by Android, iOS, Windows and Linux devices. According to the researchers who found the vulnerabilities, all devices with Bluetooth, more than 8.2 billion devices to be estimated, could be affected. Because the ramification of exploitation of these vulnerabilities could be huge with such a large number of potentially affected devices, IPA issued a security alert to widely notify the public of the issue (*6).

Table 1-2 is the list of all the Blueborne vulnerabilities registered to JVN iPedia. Half of them are assessed "High" severity with CVSSv2.

If exploited, attackers may steal sensitive information stored in the devices or infect them with malware, such as bot or ransomware, and remotely hijack them.

Users of Bluetooth devices should check on their device vendors’ security information and update them if affected. If the Bluetooth feature is not being used, disabling it will nullify the vulnerabilities.

IPA's security alerts can be received as soon as they are issued through IPA's information service called "icat for JSON" (*7). System operators and administrators can use it to help facilitate their mission to mitigate vulnerabilities.

1-3. Hot Topic #2: Apache Struts2 Vulnerabilities

~ Eight vulnerabilities reported in the past year. Three of them are assessed "High" severity ~

In September 2017, a major U.S. credit reporting firm announced that about 140 million people's private information including name and credit card information might have been compromised (*8). According to the firm, attackers exploited an Apache Struts 2 vulnerability (JVNDB-2017-001621) released in March 2017 (*9). Upon its release, IPA issued a security alert (*10) due to the real possibility of exploitation of this severe vulnerability.

Then, another Apache Struts 2 vulnerability (JVNDB-2017-006931) was released in September 2017. Because of the availability of exploit code and prospect of attacks leveraging it, IPA issued a security alert for this vulnerability as well (*11).

Table 1-3 is the list of Apache Struts 2 vulnerabilities registered to JVN iPedia in the past year (from October 2016 to September 2017). During the time period, eight vulnerabilities including aforementioned two, have been published.

The severity of JVNDB-2017-001621 mentioned above is 10.0, the severest Base Score with CVSSv2. Including other two vulnerabilities, three out of eight vulnerabilities were assessed High severity. If using vulnerable software, system administrators should check on the vulnerability information provided by the developer (*12) and security vendors and fix security flaws as soon as possible. IPA has a vulnerability information page dedicated specifically to Apache Struts2 (*13). Please make use of it for vulnerability mitigation.

2. Details on JVN iPedia Registered Data

2-1. Types of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2017, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 735 cases, followed by CWE-284 (Improper Access Control) with 367 cases, CWE-79 Cross-Site Scripting) with 358, CWE-264 (Permissions, Privileges and Access Controls with 327, CWE-200 (Information Exposure) with 324. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.

Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*14) and "Secure Programing Guide" (*15) and "AppGoat" (*16), a hands-on venerability learning tool, for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.

As of September 2017, 38.4 percent are level III, 53.8 percent are level ll and 7.8 percent are level I. This means 92.2 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.

To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.

In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*17) severity score since December 1, 2015 (*18).

2-3. Types of Software Reported with Vulnerability

Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 74.3 percent (5,134 out of 6,903) of the 2017 total.

Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 3rd quarter of 2017, the total of 1,190 ICS vulnerabilities have been registered (Figure 2-4).

2-4. Products Reported with Vulnerability

Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 3rd quarter (July to September) of 2017. Ranked 1st is Android OS (298 vulnerabilities) and the number is more than double that of the 2nd-placed ImageMagick. Below the top 2, OS, PDF and image processing software used widely in office and at home occupy the list.

Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in office and at home in Japan. IPA hopes software developers and users will utilize JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action in a timely manner (*19).

Table 2-4. Top 20 Software Products Vulnerabilities Were Most Registered [Jul. 2017 – Sep.2017]
RankCategoryProduct Name (Vendor) Number of
1 OS Android (Google) 298
2 Image Processing ImageMagick (ImageMagick) 123
3 Browser Microsoft Edge (Microsoft) 80
4 Image Processing XnView (XnSoft) 74
5 OS Microsoft Windows 10 (Microsoft) 73
6 OS Microsoft Windows Server 2016 (Microsoft) 69
7 PDF Viewer/Editor Adobe Acrobat (Adobe Systems) 66
7 PDF Viewer Adobe Reader (Adobe Systems) 66
7 PDF Viewer/Editor Adobe Acrobat DC (Adobe Systems) 66
7 PDF Viewer Adobe Acrobat Reader DC (Adobe Systems) 66
11 OS Microsoft Windows 8.1 (Microsoft) 60
11 OS Microsoft Windows Server 2012 (Microsoft) 60
13 OS Microsoft Windows Server 2008 (Microsoft) 55
14 OS Microsoft Windows RT 8.1 (Microsoft) 54
15 OS Microsoft Windows 7 (Microsoft) 52
16 Image Viewer IrfanView (Irfan Skiljan) 51
17 OS iOS (Apple) 48
18 OS Linux Kernel ( 40
19 OS tvOS (Apple) 37
19 Binary Tool GNU Binutils (GNU Project) 37

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2017 (July – September).

ScreenOS, ranked 1st, is an operating system for business router products. Vulnerabilities found in ScreenOS is cross-site scripting, which allows attackers to insert arbitrary web script or HTML into the browser the router administrator is using to login to the router. If using vulnerable software, system administrators should apply security patches provided by the vender as soon as possible to prevent exploitation and resulting damage.

Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Jul. 2017 – Sep. 2017]
1 JVNDB-2017-000183 Multiple cross-site scripting vulnerabilities in ScreenOS 4.0 2017/7/24 4,772
2 JVNDB-2017-000174 Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries 6.8 2017/7/14 4,394
3 JVNDB-2017-000169 Installers of Lhaz and Lhaz+, and Self-Extracting Archives created by Lhaz or Lhaz+ may insecurely load Dynamic Link Libraries 6.8 2017/7/7 4,223
4 JVNDB-2017-000179 Multiple Buffalo wireless LAN access point devices do not properly perform authentication 10.0 2017/7/20 3,826
5 JVNDB-2017-005208 gSOAP vulnerable to stack-based buffer overflow 7.5 2017/7/21 3,789
6 JVNDB-2017-000182 WordPress plugin "Simple Custom CSS and JS" vulnerable to cross-site scripting 2.6 2017/7/24 3,705
7 JVNDB-2017-000180 Multiple vulnerabilities in multiple Buffalo wireless LAN routers 4.3 2017/7/20 3,667
8 JVNDB-2016-005802 Microsoft IME may insecurely load Dynamic Link Libraries 5.1 2016/11/11 3,654
9 JVNDB-2017-000171 Installers of Mozilla Firefox and Thunderbird for Windows may insecurely load Dynamic Link Libraries 6.8 2017/7/11 3,607
10 JVNDB-2017-000184 Installer of Tween may insecurely load Dynamic Link Libraries 6.8 2017/7/24 3,594
11 JVNDB-2017-000181 WordPress plugin "Popup Maker" vulnerable to cross-site scripting 2.6 2017/7/24 3,555
12 JVNDB-2017-000177 RBB SPEED TEST App fails to verify SSL server certificates 4.0 2017/7/24 3,550
13 JVNDB-2017-000173 Installer of Yahoo! Toolbar (for Internet explorer) may insecurely load Dynamic Link Libraries 6.8 2017/7/12 3,493
14 JVNDB-2016-004511 DES and Triple DES encryption algorithm used in cryptographic protocols like TLS vulnerable to birthday attacks (in Japanese only) 5.0 2016/9/2 3,384
15 JVNDB-2017-000176 SONY Portable Wireless Server WG-C10 fails to restrict access permissions 7.5 2017/7/19 3,336
16 JVNDB-2017-000175 Multiple vulnerabilities SONY Portable Wireless Server WG-C10 5.2 2017/7/19 3,273
17 JVNDB-2017-000153 Installer of PDF Digital Signature Plugin provided by the Ministry of Justice may insecurely load Dynamic Link Libraries 6.8 2017/6/30 3,267
18 JVNDB-2017-000185 Multiple vulnerabilities in I-O DATA WN-AX1167GR 8.3 2017/7/27 3,266
19 JVNDB-2017-000158 Installer and self-extracting archive containing the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system may insecurely load Dynamic Link Libraries 6.8 2017/7/3 3,250
20 JVNDB-2017-000188 I-O DATA WN-G300R31 uses hard-coded credentials 8.3 2017/7/27 3,244

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers.

Table 3-2. Top 5 Most Accessed Vulnerabilities Reported by Domestic Developers [Jul. 2017 - Sep. 2017]
1 JVNDB-2016-008607 Vulnerability in Cosminexus HTTP Server and Hitachi Web Server 4.3 2017/6/26 3,143
2 JVNDB-2017-002225 Cross-site Scripting Vulnerability in multiple Hitachi products 4.3 2017/4/5 2,260
3 JVNDB-2017-003108 Multiple Vulnerabilities in Hitachi IT Operations Director and JP1/IT Desktop Management 7.5 2017/5/16 2,169
4 JVNDB-2017-006466 Denial-of-service (DoS) Vulnerability in HiRDB 5.0 2017/8/28 2,043
5 JVNDB-2017-006769 Denial-of-service (DoS) Vulnerability in JP1 and Hitachi IT Operations Director 5.0 2017/9/4 1,954

Note 1) Color Code for CVSS Base Score and Severity Level

CVSS Base Score = 0.0~3.9
Severity Level = I (Low)
CVSS Base Score = 4.0~6.9
Severity Level = II (Medium)
CVSS Base Score = 7.0~10.0
Severity Level = III (High)

Note 2) Color Code for Published Date

Published in 2015 and before Published in 2016 Published in 2017


(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.

(*2) National Vulnerability Database: A vulnerability database operated by NIST.

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.

(*4) BlueBorne Information from the Research Team - Armis Labs

(*5) A wireless communication protocol. For example, it is being used to connect short distance between a PC/smartphone and keyboard/earphones.

(*6) IPA Security Alert – Multiple Vulnerabilities in Implementation of Bluetooth (in Japanese only)

(*7) IPA Cyber Security Alert Service "icat for JSON" (in Japanese only)

(*8) Equifax Announces Cybersecurity Incident Involving Consumer Information

(*9) Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes

(*10) IPA Security Alert – Apache Struts2 Vulnerability (CVE-2017-5638)(S2-045)(S2-046) (in Japanese only)

(*11) Apache Struts2 Vulnerability (CVE-2017-9805)(S2-052) (in Japanese only)

(*12) Apache Struts 2 DocumentationSecurity Bulletins

(*13) Apache Struts2 Vulnerabilities (in Japanese only)

(*14) How to Secure Your Websites (latest version in Japanese only )

(*15) Secure Programing Guide (in Japanese only)

(*16) AppGoat (in Japanese only)

(*17) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced. (in Japanese only)

(*18) IPA has started to add CVSSv3 score to JVN iPedia (in Japanese only)

(*19) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information. (in Japanese only)

Past Quarterly Reports


IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)