HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2018 4th Quarter (Oct. - Dec.)]
February 21, 2019
IT Security Center
The vulnerability countermeasure information database JVN iPedia (https://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive vulnerability database where vulnerability information is aggregated for easy access for IT users. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has been making vulnerability information available to the public since April 25, 2007.
~ JVN iPedia now stores 92,674 vulnerabilities ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2018 (October 1 to December 31, 2018) is shown in the table below. As of the end of December 2018, the total number of vulnerabilities stored in JVN iPedia is 92,674 (Table 1-1, Figure 1-1).
As for the English version, the total of 1,997 vulnerabilities are available as shown in the lower half of the table.
| Information Source | Registered Cases | Cumulative Cases | |
|---|---|---|---|
| Japanese Version | Domestic Product Developers | 6 cases | 210 cases |
| JVN | 66 cases | 8,271 cases | |
| NVD | 3,488 cases | 84,193 cases | |
| Total | 3,560 cases | 92,674 cases | |
| English Version | Domestic Product Developers | 6 cases | 210 cases |
| JVN | 36 cases | 1,787 cases | |
| Total | 42 cases | 1,997 cases |
~ Free public updates for Java SE 8, a version identified with lots of relatively severe vulnerabilities, now ended ~
Java SE developer Oracle Corporation announced that free public updates for Java SE 8 (Java Platform, Standard Edition 8) would not be available for business, commercial or production use (without a commercial license) after January 2019 (*4). If continuing to use the software without vendor support, since patches are no longer available even if new vulnerabilities are found, there would be quite a possibility where undesired consequences, such as information exposure and/or unexpected service disruption, may occur when unfixed vulnerabilities are exploded by attackers. Because Java SE is widely used by many organizations and the impact of successful attacks could be huge, IPA released a security alert for the Java SE 8 end-of-life issue (*5).
Figure 1-2 shows the severity of Java SE 8 vulnerabilities registered to JVN iPedia in the past year, from January 1 to December 31, 2018. There were no severest "Level III" vulnerabilities (CVSS Base Score = 7.0 – 10.0), but nearly 80 percent, 38 out of 48, were relatively severe "Level II" vulnerabilities (CVSS Base Score = 4.0 – 6.9). In case a similar number and level of vulnerabilities are discovered and disclosed in the coming years, commercial users who plan to continue to use Java SE 8 need to take some steps, such as using a paid support service, to protect their systems from attacks that exploit vulnerabilities.
~ Cross-site scripting and buffer errors top the list - a continuous trend from the previous year. Integer overflow found in hundreds of tokens jumped sharply ~
Figure 1-3 shows top 10 CWE types of vulnerabilities registered to JVN iPedia in 2018, and their number is compared to that of 2017.
In 2018, ranked 1st is CWE-79 (Cross-Site Scripting) and 2nd is CWE-119 (Buffer Errors). They were also top two in the previous year. CWE-119 decreased dramatically compared to 2017, bringing it down to the 2nd place. That is because of a big decrease in the disclosure of vulnerabilities classified as CWE-119 on NVD, a main vulnerability information resource of JVN iPedia. Ranked 3rd is CWE-20 (Improper Input Validation), followed by CWE-200 (Information Exposure) and CWE-284 (Improper Access Control). These top five CWE types account for about 50 percent of all types in 2018.
One of the characteristic vulnerabilities disclosed in 2018 can be the 8th-listed CWE-190 (Integer Overflow or Wraparound). It was 181 in 2017 but more than doubled to 498 in 2018. One factor is that hundreds of tokens compliant to ERC20 (*6), the token standard for Ethereum (*7), were found to have a CWE-190 vulnerability. If exploited, the vulnerability could allow attackers to exchange fraudulently-generated tokens for virtual currencies, making it possible to manipulate their price. As a countermeasure, multiple virtual currency exchanges suspended ERC20 token trading (*8).
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2018, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 4th quarter is CWE-79 (Cross-Site Scripting) with 490 cases, followed by CWE-119 (Buffer Errors) with 390, CWE-20 (Improper Input Validation) with 292, CWE-284 (Improper Access Control) with 270 and CWE-200 (Information Exposure) with 249.
CWE-79, the most reported vulnerability type this quarter, could allow attackers to display false webpages and/or steal information.
Software developers need to make sure to mitigate vulnerability from the planning and design phase of software development. IPA provides tools and guidelines, such as "How to Secure Your Website" (*9), "Secure Programing Guide" (*10) and "AppGoat" (*11), a hands-on venerability learning tool, for website developers and operators to build secure websites.
Figure 2-2 shows the yearly change in the CVSSv2 rating scale based severity of vulnerabilities registered to JVN iPedia.
As for the vulnerabilities added to JVN iPedia in 2018, 26.5 percent are "Level III", 63.0 percent are "Level ll" and 10.5 percent are "Level I". This means 89.5 percent of all vulnerabilities registered are Level II or higher, which are potentially critical enough to cause damage like information exposure or data modification.
Figure 2-3 shows the yearly change in the CVSSv3 rating scale based severity of vulnerabilities registered to JVN iPedia.
As for the vulnerabilities added to JVN iPedia in 2018, 16.0 percent are "Critical", 46.3 percent are "High", 36.6 percent are "Medium" and 1.1 percent are “Low”.
To mitigate threats imposed by the known vulnerabilities, both developers and IT users should pay close attention to vulnerability disclosure and update software they are using to a fixed version or apply security patch as soon as they become available. They can also check vulnerabilities newly published on JVN iPeia in RSS and XML format (*12) as well.
Figure 2-4 shows the yearly change in the types of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 78.3 percent (11,164 out of 14,264) of the 2018 total.
Figure 2-5 shows the yearly change in the number of JVN iPedia-stored vulnerabilities in industrial control systems (ICS) used in critical infrastructure sectors. As of December 2018, the total of 1,635 ICS vulnerabilities have been registered.
Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2018.
In this quarter, ranked 1st is Debian GNU/Linux. It was also ranked 1st in 2018/1Q (117 vulnerabilities), 3rd in 2Q (171) and 2nd in 3Q (212), meaning that many vulnerabilities have been constantly reported. As a matter of fact, in this quarter, various OS products of popular vendors like Red Hat and Microsoft occupied most of the list.
Besides those in the top 20 list, JVN iPedia stores and offers vulnerability information about a variety of software. IPA hopes software developers and users will make good use of JVN iPedia to efficiently check vulnerability information and take necessary action in a timely manner (*13).
| Rank | Category | Product Name (Vendor) | Number of Vulnerabilities Registered |
|---|---|---|---|
| 1 | OS | Debian GNU/Linux (Debian) | 177 |
| 2 | PDF Viewer | Foxit Reader (Foxit Software Inc) | 122 |
| 3 | PDF Viewer/Editor | Foxit PhantomPDF (Foxit Software Inc) | 121 |
| 4 | OS | Ubuntu (Canonical) | 108 |
| 5 | PDF Viewer/Editor | Adobe Acrobat (Adobe Systems) | 95 |
| 5 | PDF Viewer | Adobe Acrobat Reader DC (Adobe Systems) | 95 |
| 5 | PDF Viewer/Editor | Adobe Acrobat DC (Adobe Systems) | 95 |
| 8 | OS | Microsoft Windows 10 (Microsoft) | 90 |
| 9 | OS | Microsoft Windows Server (Microsoft) | 86 |
| 10 | OS | Microsoft Windows Server 2016 (Microsoft) | 75 |
| 10 | OS | Android (Google) | 75 |
| 12 | OS | Red Hat Enterprise Linux Server (Red Hat) | 68 |
| 13 | OS | Red Hat Enterprise Linux Desktop (Red Hat) | 59 |
| 13 | OS | Microsoft Windows Server 2012 (Microsoft) | 59 |
| 13 | OS | Red Hat Enterprise Linux Workstation (Red Hat) | 59 |
| 16 | OS | Microsoft Windows 8.1 (Microsoft) | 57 |
| 17 | OS | Microsoft Windows RT 8.1 (Microsoft) | 56 |
| 18 | OS | Microsoft Windows Server 2008 (Microsoft) | 55 |
| 19 | OS | Microsoft Windows 7 (Microsoft) | 53 |
| 20 | OS | Microsoft Edge (Microsoft) | 50 |
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 4th quarter of 2018 (October – December).
Top vulnerability of this quarter is that of FileZen. Its access count is way far more than others’ but it is due to a fact that there were a large number of accesses most likely made by some sort of program from a certain entity. Aside from the 17th and 19th, 18 out of 20 are the vulnerabilities published on JVN (Japan Vulnerability Notes). Vulnerabilities released on JVN includes those disclosed in accordance with the Information Security Early Warning Partnership (*14). Those vulnerabilities typically receive a lot of attention and are picked up by various news media and blogs, which probably made their access number up.
| No | ID | Title | CVSSv2 Base Score | CVSSv3 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|---|
| 1 | JVNDB-2018-000104 | Multiple vulnerabilities in FileZen | 10.0 | 10.0 | 2018/10/15 | 514,239 |
| 2 | JVNDB-2018-000102 | Multiple vulnerabilities in Denbun | 7.5 | 9.8 | 2018/10/4 | 6,294 |
| 3 | JVNDB-2018-000101 | The installer of Baidu Browser may insecurely load Dynamic Link Libraries | 6.8 | 7.8 | 2018/10/3 | 6,239 |
| 4 | JVNDB-2018-000100 | +Message App fails to verify SSL server certificates | 4.0 | 4.8 | 2018/9/27 | 5,843 |
| 5 | JVNDB-2018-000092 | Multiple vulnerabilities in INplc | 7.5 | 9.8 | 2018/9/7 | 5,643 |
| 6 | JVNDB-2018-000110 | Web Isolation vulnerable to cross-site scripting | 4.3 | 6.1 | 2018/10/19 | 5,397 |
| 7 | JVNDB-2018-000103 | Music Center for PC improperly verifies software update files | 5.1 | 7.5 | 2018/10/9 | 5,337 |
| 8 | JVNDB-2018-000106 | User-friendly SVN vulnerable to cross-site scripting | 2.6 | 6.1 | 2018/10/9 | 5,284 |
| 9 | JVNDB-2018-000107 | OpenAM (Open Source Edition) vulnerable to session management | 4.0 | 5.0 | 2018/10/12 | 5,235 |
| 10 | JVNDB-2018-000105 | Metabase vulnerable to cross-site scripting | 4.3 | 6.1 | 2018/10/11 | 5,104 |
| 11 | JVNDB-2018-000129 | Multiple vulnerabilities in i-FILTER | 4.3 | 6.1 | 2018/12/7 | 5,100 |
| 12 | JVNDB-2018-000111 | BlueStacks App Player fails to restrict access permissions | 5.8 | 6.3 | 2018/10/24 | 5,045 |
| 13 | JVNDB-2018-000109 | Multiple vulnerabilities in YukiWiki | 4.3 | 6.1 | 2018/10/19 | 4,969 |
| 14 | JVNDB-2018-000113 | Multiple vulnerabilities in OpenDolphin | 6.5 | 8.8 | 2018/10/26 | 4,956 |
| 15 | JVNDB-2018-000116 | Mail app for iOS vulnerable to denial-of-service (DoS) | 5.0 | 7.5 | 2018/11/2 | 4,895 |
| 16 | JVNDB-2018-000112 | SecureCore Standard Edition vulnerable to authentication bypass | 2.1 | 2.4 | 2018/10/24 | 4,758 |
| 17 | JVNDB-2018-008547 | Clickjacking Vulnerability in Hitachi Device Manager | 4.3 | 4.3 | 2018/10/22 | 4,699 |
| 18 | JVNDB-2018-000099 | Cybozu Garoon vulnerable to directory traversal | 5.5 | 6.4 | 2018/9/10 | 4,617 |
| 19 | JVNDB-2018-009328 | Multiple Vulnerabilities in JP1/VERITAS | 10.0 | 9.8 | 2018/11/15 | 4,586 |
| 20 | JVNDB-2018-000117 | IMultiple vulnerabilities in WordPress plugin "LearnPress" | 6.5 | 7.2 | 2018/11/9 | 4,576 |
Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic software developers.
| No | ID | Title | CVSSv2 Base Score | CVSSv3 Base Score | Date Public | Access Count |
|---|---|---|---|---|---|---|
| 1 | JVNDB-2018-008547 | Clickjacking Vulnerability in Hitachi Device Manager | 4.3 | 4.3 | 2018/10/22 | 4,699 |
| 2 | JVNDB-2018-009328 | Multiple Vulnerabilities in JP1/VERITAS | 10.0 | 9.8 | 2018/11/15 | 4,586 |
| 3 | JVNDB-2018-002257 | DoS Vulnerability in JP1/ ServerConductor/ Deployment Manager and Hitachi Compute Systems Manager | 7.8 | 7.5 | 2018/4/4 | 4,090 |
| 4 | JVNDB-2018-001389 | XXE Vulnerability in Hitachi Device Manager | 7.8 | 7.4 | 2018/2/14 | 4,076 |
| 5 | JVNDB-2018-001388 | Multiple Vulnerabilities in Hitachi Command Suite | 5.8 | 6.1 | 2018/2/14 | 4,040 |
Note 1) Color Code for CVSSv2 Base Score and Severity Level
| CVSS Base Score = 0.0~3.9 Severity Level = I (Low) |
CVSS Base Score = 4.0~6.9 Severity Level = II (Medium) |
CVSS Base Score = 7.0~10.0 Severity Level = III (High) |
Note 2) Color Code for CVSSv3 Base Score and Severity Level
| CVSS Base Score = 0.1~3.9 Severity Level = Low |
CVSS Base Score = 4.0~6.9 Severity Level = Medium |
CVSS Base Score = 7.0~8.9 Severity Level = High |
CVSS Base Score = 9.0~10.0 Severity Level = Critical |
Note 3) Color Code for Published Date
| Published in 2016 and before | Published in 2017 | Published in 2018 |
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
https://nvd.nist.gov/home.cfm
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
https://www.nist.gov/
(*4) Oracle Java SE Support Roadmap
https://www.oracle.com/technetwork/java/java-se-support-roadmap.html
(*5) Security Alert on Oracle Java change for Java SE business, commercial or production users
https://www.ipa.go.jp/security/announce/java8_eol.html (in Japanese only)
(*6) ERC20 Token
https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md
(*7) Ethereum
https://www.ethereum.org/
(*8) New batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299)
https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536
(*9) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )
(*10) Secure Programing Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)
(*11) AppGoat
https://www.ipa.go.jp/security/vuln/appgoat/ (in Japanese only)
(*12) IPA Data Feeds
https://jvndb.jvn.jp/ja/feed/ (in Japanese only)
(*13) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)
(*14) Information Security Early Warning Partnership
https://www.ipa.go.jp/security/ciadr/partnership_guide.html (in Japanese only)
Information Security Early Warning Partnership Overview
https://www.ipa.go.jp/files/000059696.pdf
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
