Instructions

Vulnerability ID

A Vulnerability ID is a unique number to identify vulnerability information. In the past, JVN used various ID formats to identify vulnerability information based on its provider. Since May 16, 2016, the JVN English Site has been expanded to publish reports with various IDs. An ID in the format "JVN#12345678" is assigned to vulnerability information reported in Japan through the "Information Security Early Warning Partnership". Vulnerability Information in the ID format "JVNVU#12345678" refers to information reported outside of the aforementioned partnership. The ID format "JVNTA#12345678" is assigned to a Technical Alert published by JPCERT/CC.

Vulnerability ID System
Vulnearbility ID Format
Description
JVN#12345678 Vulnerability reports coordinated within the "Information Security Early Warning Partnership"
JVNVU#12345678 Vulnerability reports directly reported to and coordinated by JPCERT/CC
JVNTA#12345678 Technical Alerts published by JPCERT/CC

Title

The Title describes which type of vulnerability exists in which system/product that is vulnerable.

Critical

Vulnerability information that is marked as "Critical" indicates that JPCERT/CC strongly recommends users to apply a patch or workarounds to the affected system/product immediately, as it is suspected that an impact on an affected system/product or anything related to it such as environment may be quite severe.

The word "Critical" is also displayed at the end of the title line in the list of 15 Recent Vulnerability Notes on the JVN top page.

Please note that "Critical" mark is just a reference, thus actual severity may differ depending on an environment where the system/product is used, or importance/reliance of business on the system/product. Therefore, it is crucial for each organization to decide whether to take immediate actions or not by reading the details of the vulnerability report.

Overview

This section provides an overview of the vulnerability. This is an executive summary that helps readers to decide if they need to read a vulnerability note further to obtain details or not.

Products Affected

This section lists a product name and its version number that contains the vulnerability.

Description

This section provides detailed description of the vulnerability.

Impact

This section provides a possible impact when the vulnerability is exploited.

Solution

This section provides solutions to the vulnerability.

There are two types of solutions. One is to update or upgrade the product to resolve the vulnerability.
The other is to apply workarounds to mitigate impacts of the vulnerability.

Vendor Status

1. What is Vendor Status?

Vendor Status provides information the vendor (product developer) publicizes in regards to the vulnerability. The information from the registered vendors participating in "Information Security Early Warning Partnership" are shown as follows:

Vendor Status Last Update Vendor Notes
XXX Corporation Vulnerable 2000/01/01 XXX Corporation website

Alternatively, links to the publicized information from vendors will be listed as follows.

Vendor URL
XXX Corporation Security Patch for YYYY

2. Status

There are five types of vendar status shown as follows.

Status Description
Vulnerable There is a system/product affected by the vulnerability.
Vulnerable, investigating The vendor has found an affected product, but is still under the investigation.
Not Vulnerable There is no system/product affected by the vulnerability.
Not Vulnerable, investigating The vendor has not yet found affected system/product, but is still under the investigation.
Unknown JPCERT/CC has not received a vendor statement yet.

3. Vendor Notes

Vendor Notes provides a link to the advisory or a security related page, etc. on the vendor's website in regards to the vulnerability.

References

This section provides links to the documents released by other CSIRT organizations or security vendors.

JPCERT/CC Addendum

This section provides additional information from JPCERT/CC.

Vulnerability Analysis by JPCERT/CC

1. What is Vulnerability Analysis by JPCERT/CC?

This section provides an analysis conducted by JPCERT/CC on the severity of the vulnerability.
On JVN, the Base Score for both CVSS v3 and CVSS v2 are used to assess vulnerabilities.

When Javascript is enabled, the charts will be hidden. To view the charts click on each of the scores.

For more information, refer to the "A Complete Guide to the Common Vulnerability Scoring System Version 2.0" for CVSS v2, "Common Vulnerability Scoring System v3.0: Specification Document" and "Common Vulnerability Scoring System v3.0: User Guide" for CVSS v3.

2. Example

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score: 10.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

If there are any comments on the analysis, it will be listed here.


Previous "Vulnerability Analysis by JPCERT/CC"


Credit

Individuals or organizations who identified and reported the vulnerability is listed here unless they do not wish to be credited.

Other Information

This section lists related alert and advisory links, such as JPCERT Alert, JPCERT REPORT, CERT Advisory, CPNI Advisory, TRnotes, CVE, and JVN iPedia.

Note

On April 25, 2007, the JVN design was renewed to include the sections of "Description", "Solution", "JPCERT/CC addendum", and "Vulnerability Analysis by JPCERT/CC". Therefore, vulnerability notes released prior to this date may not have the information listed above.