HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 3rd Quarter (Jul. - Sep.)]
November 30, 2017
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability information about software used in Japan is aggregated for IT users to easily access vulnerability information. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 74,691 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2017 (July 1 to September 30, 2017) is shown in the table below. As of the end of September 2017, the total number of vulnerabilities stored in JVN iPedia is 74,691 (Table 1-1, Figure 1-1). Since the start of 2017, the number of vulnerabilities published by NVD has been on the rise. This quarter, it is 3,695, which is more than double of that of the last quarter, 1,738.
As for the English version, the total of 1,797 vulnerabilities are available as shown in the lower half of the table.
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 3 cases | 186 cases |
| JVN | 181 cases | 7,651 cases | |
| NVD | 3,511 cases | 66,854 cases | |
| Total | 3,695 cases | 74,691 cases | |
| English Version | Domestic Product Developers | 3 cases | 186 cases |
| JVN | 66 cases | 1,611 cases | |
| Total | 69 cases | 1,797 cases |
~ Four of eight Blueborne vulnerabilities are assessed "High" severity. Update now! ~
In September 2017, a foreign security vendor (*4) disclosed the "Blueborne" vulnerabilities in Bluetooth (*5). They are a set of vulnerabilities in the implementation of Bluetooth, which is widely supported by Android, iOS, Windows and Linux devices. According to the researchers who found the vulnerabilities, all devices with Bluetooth, more than 8.2 billion devices to be estimated, could be affected. Because the ramification of exploitation of these vulnerabilities could be huge with such a large number of potentially affected devices, IPA issued a security alert to widely notify the public of the issue (*6).
Table 1-2 is the list of all the Blueborne vulnerabilities registered to JVN iPedia. Half of them are assessed "High" severity with CVSSv2.
If exploited, attackers may steal sensitive information stored in the devices or infect them with malware, such as bot or ransomware, and remotely hijack them.
Users of Bluetooth devices should check on their device vendors’ security information and update them if affected. If the Bluetooth feature is not being used, disabling it will nullify the vulnerabilities.
IPA's security alerts can be received as soon as they are issued through IPA's information service called "icat for JSON" (*7). System operators and administrators can use it to help facilitate their mission to mitigate vulnerabilities.
~ Eight vulnerabilities reported in the past year. Three of them are assessed "High" severity ~
In September 2017, a major U.S. credit reporting firm announced that about 140 million people's private information including name and credit card information might have been compromised (*8). According to the firm, attackers exploited an Apache Struts 2 vulnerability (JVNDB-2017-001621) released in March 2017 (*9). Upon its release, IPA issued a security alert (*10) due to the real possibility of exploitation of this severe vulnerability.
Then, another Apache Struts 2 vulnerability (JVNDB-2017-006931) was released in September 2017. Because of the availability of exploit code and prospect of attacks leveraging it, IPA issued a security alert for this vulnerability as well (*11).
Table 1-3 is the list of Apache Struts 2 vulnerabilities registered to JVN iPedia in the past year (from October 2016 to September 2017). During the time period, eight vulnerabilities including aforementioned two, have been published.
The severity of JVNDB-2017-001621 mentioned above is 10.0, the severest Base Score with CVSSv2. Including other two vulnerabilities, three out of eight vulnerabilities were assessed High severity. If using vulnerable software, system administrators should check on the vulnerability information provided by the developer (*12) and security vendors and fix security flaws as soon as possible. IPA has a vulnerability information page dedicated specifically to Apache Struts2 (*13). Please make use of it for vulnerability mitigation.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2017, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 735 cases, followed by CWE-284 (Improper Access Control) with 367 cases, CWE-79 Cross-Site Scripting) with 358, CWE-264 (Permissions, Privileges and Access Controls with 327, CWE-200 (Information Exposure) with 324. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*14) and "Secure Programing Guide" (*15) and "AppGoat" (*16), a hands-on venerability learning tool, for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.
As of September 2017, 38.4 percent are level III, 53.8 percent are level ll and 7.8 percent are level I. This means 92.2 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
To mitigate threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
In addition to a CVSSv2 severity score, JVN iPedia has started a pilot to provide a CVSSv3 (*17) severity score since December 1, 2015 (*18).
Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 74.3 percent (5,134 out of 6,903) of the 2017 total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 3rd quarter of 2017, the total of 1,190 ICS vulnerabilities have been registered (Figure 2-4).
Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 3rd quarter (July to September) of 2017. Ranked 1st is Android OS (298 vulnerabilities) and the number is more than double that of the 2nd-placed ImageMagick. Below the top 2, OS, PDF and image processing software used widely in office and at home occupy the list.
Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in office and at home in Japan. IPA hopes software developers and users will utilize JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action in a timely manner (*19).
| Rank | Category | Product Name (Vendor) | Number of Vulnerabilities Registered |
|---|---|---|---|
| 1 | OS | Android (Google) | 298 |
| 2 | Image Processing | ImageMagick (ImageMagick) | 123 |
| 3 | Browser | Microsoft Edge (Microsoft) | 80 |
| 4 | Image Processing | XnView (XnSoft) | 74 |
| 5 | OS | Microsoft Windows 10 (Microsoft) | 73 |
| 6 | OS | Microsoft Windows Server 2016 (Microsoft) | 69 |
| 7 | PDF Viewer/Editor | Adobe Acrobat (Adobe Systems) | 66 |
| 7 | PDF Viewer | Adobe Reader (Adobe Systems) | 66 |
| 7 | PDF Viewer/Editor | Adobe Acrobat DC (Adobe Systems) | 66 |
| 7 | PDF Viewer | Adobe Acrobat Reader DC (Adobe Systems) | 66 |
| 11 | OS | Microsoft Windows 8.1 (Microsoft) | 60 |
| 11 | OS | Microsoft Windows Server 2012 (Microsoft) | 60 |
| 13 | OS | Microsoft Windows Server 2008 (Microsoft) | 55 |
| 14 | OS | Microsoft Windows RT 8.1 (Microsoft) | 54 |
| 15 | OS | Microsoft Windows 7 (Microsoft) | 52 |
| 16 | Image Viewer | IrfanView (Irfan Skiljan) | 51 |
| 17 | OS | iOS (Apple) | 48 |
| 18 | OS | Linux Kernel (kernel.org) | 40 |
| 19 | OS | tvOS (Apple) | 37 |
| 19 | Binary Tool | GNU Binutils (GNU Project) | 37 |
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2017 (July – September).
ScreenOS, ranked 1st, is an operating system for business router products. Vulnerabilities found in ScreenOS is cross-site scripting, which allows attackers to insert arbitrary web script or HTML into the browser the router administrator is using to login to the router. If using vulnerable software, system administrators should apply security patches provided by the vender as soon as possible to prevent exploitation and resulting damage.
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers.
| No | ID | Title | CVSSv2 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|
| 1 | JVNDB-2016-008607 | Vulnerability in Cosminexus HTTP Server and Hitachi Web Server | 4.3 | 2017/6/26 | 3,143 |
| 2 | JVNDB-2017-002225 | Cross-site Scripting Vulnerability in multiple Hitachi products | 4.3 | 2017/4/5 | 2,260 |
| 3 | JVNDB-2017-003108 | Multiple Vulnerabilities in Hitachi IT Operations Director and JP1/IT Desktop Management | 7.5 | 2017/5/16 | 2,169 |
| 4 | JVNDB-2017-006466 | Denial-of-service (DoS) Vulnerability in HiRDB | 5.0 | 2017/8/28 | 2,043 |
| 5 | JVNDB-2017-006769 | Denial-of-service (DoS) Vulnerability in JP1 and Hitachi IT Operations Director | 5.0 | 2017/9/4 | 1,954 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2015 and before | Published in 2016 | Published in 2017 |
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
http://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
http://www.nist.gov/
(*4) BlueBorne Information from the Research Team - Armis Labs
https://www.armis.com/blueborne/
(*5) A wireless communication protocol. For example, it is being used to connect short distance between a PC/smartphone and keyboard/earphones.
(*6) IPA Security Alert – Multiple Vulnerabilities in Implementation of Bluetooth
https://www.ipa.go.jp/security/ciadr/vul/20170914_blueborne.html (in Japanese only)
(*7) IPA Cyber Security Alert Service "icat for JSON"
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)
(*8) Equifax Announces Cybersecurity Incident Involving Consumer Information
https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
(*9) Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes
https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832
(*10) IPA Security Alert – Apache Struts2 Vulnerability (CVE-2017-5638)(S2-045)(S2-046)
https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html (in Japanese only)
(*11) Apache Struts2 Vulnerability (CVE-2017-9805)(S2-052)
https://www.ipa.go.jp/security/ciadr/vul/20170906-struts.html (in Japanese only)
(*12) Apache Struts 2 DocumentationSecurity Bulletins
https://struts.apache.org/docs/security-bulletins.html
(*13) Apache Struts2 Vulnerabilities
https://www.ipa.go.jp/security/announce/struts2_list.html (in Japanese only)
(*14) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )
(*15) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)
(*16) AppGoat
https://www.ipa.go.jp/security/vuln/appgoat/ (in Japanese only)
(*17) CVSSv3: An open framework for assessing the severity of vulnerabilities. With v3, evolution of technology, such as the prevalence of virtualization and sandbox technology, have been considered and introduced.
https://www.first.org/cvss/specification-document
https://www.ipa.go.jp/security/vuln/CVSSv3.html (in Japanese only)
(*18) IPA has started to add CVSSv3 score to JVN iPedia
https://www.ipa.go.jp/security/vuln/SeverityLevel3.html (in Japanese only)
(*19) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
