HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2017 4th Quarter (Oct. - Dec.)]
February 23, 2018
IT Security Center
The vulnerability countermeasure information database JVN iPedia (https://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive vulnerability database where vulnerability information is aggregated for easy access for IT users. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has been making vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 78,410 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2017 (October 1 to December 31, 2017) is shown in the table below. As of the end of December 2017, the total number of vulnerabilities stored in JVN iPedia is 78,410 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,836 vulnerabilities are available as shown in the lower half of the table.
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 10 cases | 196 cases |
| JVN | 213 cases | 7,864 cases | |
| NVD | 3,496 cases | 70,350 cases | |
| Total | 3,719 cases | 78,410 cases | |
| English Version | Domestic Product Developers | 8 cases | 194 cases |
| JVN | 31 cases | 1,642 cases | |
| Total | 39 cases | 1,836 cases |
~ Highest 13,792 vulnerabilities are registered in 2017 – more than double the number in 2016 ~
IPA launched JVN iPedia in April 2007. Figure 1-2 shows the annual number of vulnerabilities registered to JVN iPedia in the last five years.
In 2013, it was 5,272. Three years later, in 2016, it increased to 6,524. Next year, in 2017, it was record-high 13,792 – more than double the number in 2016. Most of the vulnerabilities, 12,804 and accounting for 94 percent, were collected from NVD, which means it was the number of vulnerabilities published on NVD that had drastically increased.
Besides a recent increase in the number of vulnerabilities discovered and published, it may be attributed to the fact that the number of CVE numbering authorities (CNAs) (*4) has increased as well due to the review of the CNA qualifications (*5). The number of CNAs was 47 in December 2016 (*6), and it grew to 81, about 1.7 times increase, in November 2017 (*7). This could have facilitated more number of vulnerabilities to be assigned with a CVE and published on NVD as a result.
As the use of software has become more and more pervasive, cyberattacks that exploit software vulnerability and resulting security breaches have also become pervasive and persistent. To avoid becoming a victim, IT users need to take proper actions to mitigate vulnerability. JVN iPedia is a database of vulnerability published daily, and has a search functionality for IT users to narrow down and obtain the information they need. IPA hopes JVN iPedia will help IT users manage and mitigate vulnerability.
~ Many vulnerabilities in those to-be-EOL software published in 2017 were highly severe ones – upgrade to supported versions or migrate to other products ~
The January 22 issue of "IPA Security Help Desk News (*8)" has warned that Microsoft would end extended support for Windows 7 and Windows Server 2008 in early 2020. Figure 1-3 shows the severity of vulnerabilities in Window 7 and Windows Server 2008 registered to JVN iPedia in 2017. 60 out of 231 Windows 7 vulnerabilities (26 percent) and 63 out of 242 Windows Server 2008 vulnerabilities (26 percent) were the severest "High" vulnerabilities. That suggests more "High" vulnerabilities may be found and disclosed in the future, before and beyond 2020.
Even if a new vulnerability is found in an end-of-life product and cyberattacks that exploit the vulnerability are observed, IT users will not be able to fix it because the product vendor will not provide a security patch nor update. That means the continued use of end-of-life products will expose their users to a constant security risk. System administrators need to check if the software products they are using are still supported and when their support ends. If their support is scheduled to end, swiftly plan to upgrade them to the versions with support or migrate to other products.
In addition to Windows 7 and Windows Server 2008, support for Microsoft Office 2010 (*9) and Adobe Flash Player (*10) are planned to end in 2020. If IT users are still using them, they should plan a migration as well.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2017, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 4th quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 715 cases, followed by CWE-79 Cross-Site Scripting) with 398, CWE-200 (Information Exposure) with 371, CWE-264 (Permissions, Privileges and Access Controls with 299, CWE-284 (Improper Access Control) with 253 cases. CWE-119, the most reported vulnerability type this quarter, could allow attackers to execute arbitrary code on affected servers/PCs, causing various undesirable consequences, such as unauthorized access to and/or modification of data.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as "How to Secure Your Website" (*11), "Secure Programing Guide" (*12) and "AppGoat" (*13), a hands-on venerability learning tool, for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the severity (CVSSv2) of vulnerabilities registered to JVN iPedia based on the year they were first published.
As of the end of 2017, 29.3 percent are level III, 61.6 percent are level ll and 9.1 percent are level I. This means 90.9 percent of all vulnerabilities reported are level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
To mitigate threats imposed by the known vulnerabilities, it is essential for IT users to pay close attention to vulnerability information and update software they are using to the latest version or apply security patches as soon as possible when they become available.
When a serious vulnerability or attack is reported, IPA issues an emergency security alert. The alerts can be received as soon as they are issued through the service called "icat for JSON" (*14). IT users can follow vulnerabilities newly published on JVN iPeia via RSS feed as well.
Figure 2-3 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 74.0 percent (7,580 out of 10,250) of the 2017 total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure sectors has started to be added to JVN iPedia. As of the 4th quarter of 2017, the total of 1,263 ICS vulnerabilities have been registered (Figure 2-4). The annual number of ICS vulnerabilities has exceeded 100 since 2012, and 200 in 2016.
Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2017. A number of vulnerabilities in two popular smartphone operating systems were disclosed - ranked 1st is Android OS (254 vulnerabilities) and 5th is iOS (74 vulnerabilities). Smartphone users should update their phone's OS immediately upon receiving update notifications.
Besides those in the top 20 list, JVN iPedia stores vulnerabilities about a variety of software used in office and at home. IPA hopes software developers and users will utilize JVN iPedia to efficiently check vulnerability information about the software they are using and take necessary action in a timely manner (*15).
| Rank | Category | Product Name (Vendor) | Number of Vulnerabilities Registered |
|---|---|---|---|
| 1 | OS | Android (Google) | 254 |
| 2 | OS | Debian GNU/Linux (Debian) | 95 |
| 3 | Packet Capture Tool | tcpdump (The Tcpdump Group) | 88 |
| 4 | Image Viewer | IrfanView (Irfan Skiljan) | 74 |
| 4 | OS | iOS (Apple) | 74 |
| 6 | Browser | Google Chrome (Google) | 71 |
| 7 | File Viewer | STDU Viewer (STDUtility) | 67 |
| 7 | OS | Apple Mac OS X (Apple) | 67 |
| 9 | PDF Viewer | Adobe Reader (Adobe Systems) | 62 |
| 9 | PDF Viewer/Editor | Adobe Acrobat DC (Adobe Systems) | 62 |
| 9 | PDF Viewer | Adobe Acrobat Reader DC (Adobe Systems) | 62 |
| 9 | PDF Viewer/Editor | Adobe Acrobat (Adobe Systems) | 62 |
| 13 | OS | tvOS (Apple) | 55 |
| 14 | OS | Linux Kernel (kernel.org) | 54 |
| 15 | Image Processing | XnView (XnSoft) | 40 |
| 15 | Browser | Safari (Apple) | 40 |
| 15 | OS | Microsoft Windows 10 (Microsoft) | 40 |
| 15 | Browser | Microsoft Edge (Microsoft) | 40 |
| 19 | OS | Microsoft Windows Server 2016 (Microsoft) | 38 |
| 20 | Cloud Computing Service | iCloud (Apple) | 36 |
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2017 (October – December).
Ranked 1st, 2nd, 4th, 7th, 10th, 13th and 15th, 7 out of top 20, are vulnerabilities in Hitachi software products. Because Hitachi is a domestic vendor, its big user base in Japan may have contributed to their vulnerabilities catching a lot of attention from local users and pushing their rankings.
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic psoftware developers.
| No | ID | Title | CVSSv2 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|
| 1 | JVNDB-2017-007767 | Self-Decrypting Confidential Files created by JP1/HIBUN may insecurely load Dynamic Link Libraries | 6.8 | 2017/10/2 | 4,354 |
| 2 | JVNDB-2017-008411 | XXE Vulnerability in Hitachi Command Suite | 7.5 | 2017/10/18 | 4,219 |
| 3 | JVNDB-2017-008369 | Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor | 7.5 | 2017/10/17 | 3,825 |
| 4 | JVNDB-2017-008364 | RMI Vulnerability in Hitachi Tuning Manager | 10.0 | 2017/10/17 | 3,704 |
| 5 | JVNDB-2017-008370 | Information Disclosure Vulnerability in Hitachi Automation Director | 3.5 | 2017/10/17 | 3,553 |
Note 1) Color Code for CVSS Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for Published Date
| Published in 2015 and before | Published in 2016 | Published in 2017 |
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
https://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
https://www.nist.gov/
(*4) CVE Numbering Authorities (CNAs): Organizations that are authorized to assign CVE IDs to vulnerabilities.
https://cve.mitre.org/cve/cna.html
(*5) CVE Numbering Authorities (CNA) Rules, Version 2.0
https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf
(*6) CVE Adds 7 New CVE Numbering Authorities (CNAs)
https://cve.mitre.org/news/archives/2016/news.html
(*7) SAP Added as CVE Numbering Authority (CNA)
https://cve.mitre.org/news/archives/2017/news.html
(*8) IPA Security Help Desk News: Extended support for Windows 7 and Windows Server 2008 will end in January 2020 ~ Make a mitigation plan suitable to your system environment and business operations ~
https://www.ipa.go.jp/security/anshin/mgdayori20180122.html (in Japanese only)
(*9) Windows 7 & Office 2010: End of Support in 2020
https://www.microsoft.com/ja-jp/business/windows/endofsupport.aspx (in Japanese only)
(*10) Flash & The Future of Interactive Content – Adobe
https://theblog.adobe.com/adobe-flash-update/
(*11) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )
(*12) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)
(*13) AppGoat
https://www.ipa.go.jp/security/vuln/appgoat/ (in Japanese only)
(*14) IPA Cyber Security Alert Service "icat for JSON"
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)
(*15) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
