Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesQuarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2021 4th Quarter (Oct. - Dec.)]

PRINT PAGE

IT Security

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2021 4th Quarter (Oct. - Dec.)]

February 16, 2022
IT Security Center

1. 2021 4th Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (https://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive vulnerability database where vulnerability information is aggregated for easy access for IT users. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has been making vulnerability information available to the public since April 25, 2007.


1-1. Vulnerabilities Registered in 2021/4Q

~ JVN iPedia now stores 137,702 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2021 (October 1 to December 31, 2021) is shown in the table below. As of the end of December 2021, the total number of vulnerabilities stored in JVN iPedia is 137,702 (Table 1-1, Figure 1-1).

As for the JVN iPedia English version, the total number of vulnerabilities stored is 2,375 as shown in the lower half of the Table 1-1.


Table 1-1. Vulnerabilities Registered to JVN iPedia during 4th Quarter of 2021
  Information Source Registered Cases Cumulative Cases
Japanese Version Domestic Product Developers 5 cases 261 cases
JVN 358 cases 10,814 cases
NVD 4,313 cases 126,627 cases
Total 4,676 cases 137,702 cases
English Version Domestic Product Developers 5 cases 256 cases
JVN 33 cases 2,119 cases
Total 38 cases 2,375 cases

1-2. 【Observation 1】Vulnerabilities in Microsoft Windows Products

~Vulnerabilities classified as the highest severity 'High' discovered in a new product 'Microsoft Windows 11' released in October, 2021. Continue to take vulnerability countermeasures~

Microsoft Windows 11 was released on October 5, 2021. This product attracted attention for the successor version of Windows 10, and the number of users has been gradually increasing as it can be upgraded free of charge. Microsoft claims that Windows 11 added a variety of new features and enhanced security such as adopting the Zero Trust concept.(*4)

On the other hand, a number of vulnerabilities have already been discovered and disclosed in Windows 11. 89 cases of vulnerability countermeasure information have registered to JVN iPedia since its release until the end of December 2021. Vulnerabilities classified as 'High' are included among them.

Figure 1-2 shows the percentage of severity of vulnerability countermeasure information registered to JVN iPedia for Windows 8.1, Windows 10, and Windows 11 which are currently supported by Microsoft. As for Windows 11, 12.4% of vulnerabilities are classified as the highest severity 'High' (CVSS base score=7.0-10.0), 70.8% are the next highest severity 'Medium' (CVSS base score =4.0-6.9), and 16.9% are 'Low' (CVSS base score= 0.1-3.9). The result indicates that the vulnerabilities classified as 'High' and 'Medium' are dominated more than 80%. There was not significant difference in the percentage of severity of vulnerability compared to Windows 8.1 and Windows 10. Therefore, it is expected that vulnerability countermeasure information for Windows 11 will continue to be discovered and disclosed in 2022 and beyond in the same trend as the previous Windows OS.

In order to resolve these vulnerabilities and use Windows 11 securely, users are recommended to immediately apply security patches released by Microsoft, as with conventional Microsoft products. IPA publishes alert information as important security information when Microsoft releases its monthly security patches. IPA also provides a service called "icat for JSON" (IPA Cyber security Alert Service for JavaScript Object Notation) (*5) that promptly disseminates the information to the employees of organizations and users of published services, so please take advantage of this service as well.

1-3. 【Observation 2】Vulnerabilities in Apache HTTP Server

~Attacks that exploit a path traversal vulnerability (CVE-2021-41773) have been confirmed in Japan~

In October 2021, the Apache Software Foundation released vulnerability information of Apache HTTP Server (CVE-2021-41773), and several public organizations, including IPA, issued an alert that the vulnerability had been confirmed to be exploited.(*6)(*7)

The vulnerability is a path traversal vulnerability that may allow access to files outside the document root, and if exploited, may allow remote attackers to manipulate files illegally. CVSS Base Score, which indicates the severity of the vulnerability, was 4.3 (*8) and classified as the second highest 'Medium' (CVSS Base Score=4.0-6.9) , but it was not a particularly high value. However, as several exploit codes were disclosed and attacks were confirmed in Japan, organizations using the affected versions of the vulnerability were required to take countermeasures.

In addition, within a few days, another path traversal vulnerability CVE-2021-42013 was revealed to exist in the version of Apache HTTP Server that was released as a fix for CVE-2021-41773. This vulnerability was classified as 'High' (CVSS Base Score=7.0-10.0) with CVSSv2 Base Score of 7.5. (*9) As with CVE-2021-41773, exploit codes for this vulnerability were confirmed, and since it was discovered immediately after the release of modified version of CVE-2021-41773, it has been posted on the Internet (*10) and attracted wide attention.

Apache HTTP Server is a web server program provided by the Apache Software Foundation as open source software. A total of 194 vulnerability countermeasure information for this product has been registered in JVN iPedia until the end of 2021. Figure 1-3 shows the percentage of the severity of vulnerability countermeasure information for Apache HTTP Server registered to JVN iPedia. 12.4% of vulnerabilities are classified as the highest severity 'High' (CVSS base score=7.0-10.0), 82.0% are the next highest severity 'Medium' (CVSS base score =4.0-6.9), and 4.1% are 'Low' (CVSS base score= 0.1-3.9). The result indicates that the vulnerabilities classified as 'High' and 'Medium' dominates, indicating that the vulnerabilities could have a significant impact if exploited.

Widely used Software like Apache HTTP Server attracts the attention of attackers when vulnerability information is disclosed and may be exploited in attacks. Users are recommended to collect vulnerability information and immediately apply security patches when they are released.

2. Details on JVN iPedia Registered Data

2-1. Types of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2021, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 4th quarter is CWE-79 (Cross-Site Scripting) with 501 cases, followed by CWE-787 (Out-of-bounds Write) with 274, CWE-269 (Improper Privilege Management) with 172, CWE-89 (SQL Injection) with 165, CWE-125 (Out-of-bounds Read) with 145. CWE-79 (Cross-Site Scripting), the most reported vulnerability type in this quarter, could allow attackers to display false webpages and/or steal information.

Software developers need to make sure to mitigate vulnerability from the planning and design phase of software development. IPA provides tools and guidelines, such as "Vulnerability Countermeasure Guide for Software Developers"" (*11), "How to Secure Your Website" (*12), "Secure Programming Guide" (*13) and "AppGoat" (*14), a hands-on venerability learning tool, for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the CVSSv2 rating scale based severity of vulnerabilities registered to JVN iPedia.

As for the vulnerabilities added to JVN iPedia in 2021, 22.2 percent are “Level III” (7.0 - 10.0), 62.2 percent are “Level II” (4.0 – 6.9) and 15.6 percent are “Level I” (0.0 – 3.9). This means 84.4 percent of all vulnerabilities registered are Level II or higher, which are potentially critical enough to cause damage like information exposure or data falsification.

Figure 2-3 shows the yearly change in the CVSSv3 rating scale based severity of vulnerabilities registered to JVN iPedia.

As for the vulnerabilities added to JVN iPedia in 2021, 14.1 percent are “Critical” (9.0 – 10.0), 42.3 percent are “High” (7.0 – 8.9), 41.0 percent are “Medium” (4.0 – 6.9) and 2.5 percent are “Low” (0.1 – 3.9).

To avoid threats posed by the known vulnerabilities, both product developers and IT users should pay close attention to vulnerability disclosure and update software they use to a fixed version or apply a security patch as soon as possible when they become available. IT users can check vulnerabilities newly published on JVN iPedia in RSS and XML format (*15) as well.

2-3. Types of Software Reported with Vulnerability

Figure 2-4 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 72.1 percent (8,884 out of 12,314) of the 2021 total.

Figure 2-5 shows the yearly change in the number of JVN iPedia-stored vulnerabilities in industrial control systems (ICS) used in critical infrastructure sectors. As of December 2021, the total of 3,198 ICS vulnerabilities have been registered.

2-4. Products Reported with Vulnerability

Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2021.

In this quarter, the most registered products were Qualcomm products. Qualcomm products were also the most registered products during the quarter in the 1st, 2nd and 4th quarter of 2021.

Besides those in the top 20 list, JVN iPedia stores and offers vulnerability information about a variety of software. IPA hopes software developers and users will make good use of JVN iPedia to efficiently check vulnerability information and take necessary action in a timely manner (*16).


Table 2-1. Top 20 most registered software products vulnerability countermeasure information in JVN iPedia [Oct. – Dec. 2021]
RankCategoryProduct Name (Vendor) Number of
Vulnerabilities
Registered
1 Firmware Qualcomm component (Qualcomm) 979
2 OS Fedora (Fedora Project) 292
3 OS Debian GNU/Linux (Debian) 186
4 OS Android (Google) 155
5 Browser Google Chrome (Google) 110
6 OS Microsoft Windows Server (Microsoft) 102
7 OS Microsoft Windows Server 2022 (Microsoft) 98
8 OS Microsoft Windows 10 (Microsoft) 96
9 OS Microsoft Windows Server 2019 (Microsoft) 95
10 OS Microsoft Windows 11 (Microsoft) 89
11 OS Microsoft Windows Server 2016 (Microsoft) 81
12 Others OnCommand Insight (NetApp) 68
12 OS Microsoft Windows Server 2012 (Microsoft) 68
14 OS Microsoft Windows 8.1 (Microsoft) 63
15 OS Microsoft Windows RT 8.1 (Microsoft) 62
16 OS Linux Kernel (Kernel.org) 56
17 Others SnapCenter (NetApp) 55
17 OS Red Hat Enterprise Linux (Red Hat) 55
17 OS Microsoft Windows Server 2008 (Microsoft) 55
20 OS Microsoft Windows 7 (Microsoft) 51

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 4th quarter of 2021 (October to December).

The first, second, and third rank vulnerabilities in this quarter were confirmed exploited attacks in Japan respectively and became a hot topic. Especially, vulnerability in Apache Log4j ranked in the second received more than 10,000 accesses as of the end of December, although it was disclosed on December 14, 2021.


Table 3-1. Top 20 Most Accessed Vulnerability Countermeasure Information in JVN iPedia [Oct. – Dec. 2021]
NoIDTitleCVSSv2
Base
Score
CVSSv3
Base
Score
Date
Public
Access
Count
1 JVNDB-2021-000093 Movable Type XMLRPC API vulnerable to OS command injection 7.5 9.8 2021/10/20 10,265
2 JVNDB-2021-005429 Apache Log4j vulnerable to remote code execution (in Japanese only) 9.3 10.0 2021/12/14 10,196
3 JVNDB-2021-000090 Apache HTTP Server vulnerable to directory traversal 5.0 7.5 2021/10/8 7,671
4 JVNDB-2019-013606 Log4j vulnerable to deserialization of untrusted data (in Japanese only) 7.5 9.8 2020/1/10 6,567
5 JVNDB-2021-000088 Multiple vulnerabilities in Cybozu Remote Service 6.3 5.3 2021/9/30 6,411
6 JVNDB-2021-002774 Trend Micro ServerProtect family vulnerable to authentication bypass - - 2021/10/1 6,264
7 JVNDB-2021-000089 Nike App fails to restrict custom URL schemes properly 4.3 4.3 2021/10/8 5,971
8 JVNDB-2021-000097 Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X 10.0 9.8 2021/10/29 5,763
9 JVNDB-2021-000022 Multiple vulnerabilities in Cybozu Office 4.0 4.3 2021/3/15 5,675
10 JVNDB-2021-002810 Information Disclosure Vulnerability in Hitachi Tuning Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer - - 2021/10/5 5,610
11 JVNDB-2021-002752 Trend Micro HouseCall for Home Networks vulnerable to privilege escalation - - 2021/9/30 5,521
12 JVNDB-2021-000085 SNKRDUNK Market Place App for iOS vulnerable to improper server certificate verification 4.0 4.8 2021/9/28 5,395
13 JVNDB-2021-000091 128 Technology Session Smart Router vulnerable to authentication bypass 7.5 9.8 2021/10/18 5,297
14 JVNDB-2020-006831 WordPress vulnerable to cross-site scripting (in Japanese only) 3.5 6.8 2020/7/20 5,162
15 JVNDB-2021-003080 OMRON CX-Supervisor vulnerable to out-of-bounds read - 6.5 2021/10/18 5,142
16 JVNDB-2021-000084 InBody App vulnerable to information disclosure 2.9 3.5 2021/9/28 5,141
17 JVNDB-2021-000086 WordPress Plugin "OG Tags" vulnerable to cross-site request forgery 2.6 4.3 2021/9/28 5,116
18 JVNDB-2020-005296 Apache log4net vulnerable to XML External Entity(in Japanese only) 7.5 9.8 2020/6/11 5,029
19 JVNDB-2021-000081 Multiple vulnerabilities in Sharp NEC Display Solutions' public displays 10.0 9.8 2021/9/17 5,023
20 JVNDB-2020-006893 WordPress vulnerable to authentication bypass using an alternate path or channel(in Japanese only) 6.0 3.1 2020/7/22 4,993

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers.


Table 3-2. Top 5 Most Accessed Vulnerabilities Reported by Domestic Product Developers [Oct. - Dec. 2021]
NoIDTitleCVSSv2
Base
Score
CVSSv3
Base
Score
Date
Public
Access
Count
1 JVNDB-2021-002810 Information Disclosure Vulnerability in Hitachi Tuning Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer - - 2021/10/5 5,610
2 JVNDB-2021-003660 Authentication Bypass Vulnerability in Hitachi Device Manager - - 2021/11/1 4,230
3 JVNDB-2021-003811 File Permission Vulnerability in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center - - 2021/11/5 4,223
4 JVNDB-2021-001021 Improper access control vulnerability in JP1/IT Desktop Management 2 - Manager and JP1/NETM/Asset Information Manager - - 2021/2/8 4,034
5 JVNDB-2021-001345 Information Disclosure Vulnerability in Cosminexus - - 2021/4/13 4,023

Note 1) Color Code for CVSSv2 Severity Rating Scale

CVSS Base Score = 0.0~3.9
Severity = Level I (Low)
CVSS Base Score = 4.0~6.9
Severity = Level II (Medium)
CVSS Base Score = 7.0~10.0
Severity = Level III (High)

Note 2) Color Code for CVSSv3 Severity Rating Scale

CVSS Base Score =
0.1~3.9
Severity = Low
CVSS Base Score =
4.0~6.9
Severity = Medium
CVSS Base Score =
7.0~8.9
Severity = High
CVSS Base Score =
9.0~10.0
Severity = Critical

Note 3) Color Code for Published Date

Published in 2019 or before Published in 2020 Published in 2021

Footnotes

(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
https://jvn.jp/en/

(*2) National Vulnerability Database: A vulnerability database operated by NIST.
https://nvd.nist.gov/home.cfm

(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
https://www.nist.gov/

(*4) Windows 11: The operating system for hybrid work and learning
https://www.microsoft.com/en-us/microsoft-365/blog/2021/06/24/windows-11-the-operating-system-for-hybrid-work-and-learning/

(*5) "icat for JSON" (IPA Cyber security Alert Service for JavaScript Object Notation)
https://www.ipa.go.jp/security/vuln/icat.html (in Japanese only)

(*6) Vulnerability Countermeasures for Apache HTTP Server (CVE-2021-41773, CVE-2021-42013)
https://www.ipa.go.jp/security/ciadr/vul/alert20211006.html (in Japanese only)

(*7) Alert for Path Traversal Vulnerability in Apache HTTP Server (CVE -2021 -41773)
https://www.jpcert.or.jp/at/2021/at210043.html (in Japanese only)

(*8) CVE-2021-41773
https://nvd.nist.gov/vuln/detail/CVE-2021-41773

(*9) CVE-2021-42013
https://nvd.nist.gov/vuln/detail/CVE-2021-42013

(*10) Apache HTTPD Re-Fixed in Just 3 Days - Previous Fix Not Enough, Could Lead to RCE
https://www.security-next.com/130520 (in Japanese only)

(*11) Vulnerability Countermeasure Guide for Software Developers
https://www.ipa.go.jp/security/vuln/report/notice/guideforvendor.html (in Japanese only )

(*12) How to Secure Your Websites
https://www.ipa.go.jp/security/vuln/websecurity.html (latest version in Japanese only )

(*13) Secure Programming Guide
https://www.ipa.go.jp/security/awareness/vendor/programming/ (in Japanese only)

(*14) AppGoat
https://www.ipa.go.jp/security/vuln/appgoat/ (in Japanese only)

(*15) IPA Data Feeds
https://jvndb.jvn.jp/ja/feed/ (in Japanese only)

(*16) IPA Technical Watch - Daily Practice Guide: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
https://www.ipa.go.jp/security/technicalwatch/20150331.html (in Japanese only)

Past Quarterly Reports

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)