untitled - PDF 無料ダウンロード

200 7 19 JPCERT [2007 2 4 6 ] IPA JPCERT JPCERT/CC 2007 2 4 6 1 2 1. 2007 2 1 2007 4 1 6 30 IPA 46 95 141 2004 7 8 501 940 1,441 3 2 (1) 3 2004 7 8 1 2007 2 1.98 1 2005/1Q 2005/2Q 2005/3Q 2005/4Q 2006/1Q 2006/2Q 2006/3Q 2006/4Q 2007/1Q 2007/2Q 1.45 1.43 1.58 1.59 1.61 1.70 1.75 1.92 1.95 1.98 1

2. 2 2007 2 JVN 4 23 193 0 29 3 74 26 296 P.5 1 (1)Java Web Start 5 Java Java Web Start Java Web StartJRE(Java Runtime Environment) Java JRE Java JRE update 5 8 (2)APOP 6 APOPAuthenticated Post Office Protocol APOP APOP MD5Message Digest 5 4 19 (3) CVSS 7 CVSS NIAC:National Infrastructure Advisory Council 2004 10 CVSS CSIRT 8 FIRST 9 FIRST CVSS-SIG(Special Interest Group)CVSS 30 10 FIRST 6 20 CVSS CVSS v2 CVSS JVN ipedia 11 CVSS v2 2

(4) 2 JVN 2007 2 IPA 193 CSIRT 261 454 JVN 5 30 (5) JVN JVN JVN JVN ipedia http://jvndb.jvn.jp/ 4 25 JVN ipedia JVN 450 NIST(National Institute of Standards and Technology) NVD(National Vulnerability Database) 3900 3. 3 2007 2 86 629 9 87-6 12 7 7 69 96 792 P.10 1 2 (1) IPA 3

2006 1 2007 6 506 44 462 2 3 3 4 (2) IPA 5 2006 1 2007 6 233 1 2 5 1 90% 90 2 90 80% 90%90 80%90 4 Tel: 03-5978-7527 Fax: 03-5978-7518 E-mail: vuln-inq@ipa.go.jp JPCERT Tel: 03-3518-4600 Fax: 03-3518-4602 E-mail: office@jpcert.or.jp Tel: 03-5978-7503 Fax:03-5978-7510 E-mail: pr-inq@ipa.go.jp JPCERT Tel:03-3518-4600 Fax:03-3518-4602 E-mail: pr@jpcert.or.jp

1-1 23 193 3 74 JVN IPA 501 427 1-2 1-2 IPA 427 5

IPA 501 427 1-3 1-4 1-3 1-4 427 427 6

JPCERT/CC 1-1 2 CSIRT 14 IPA JPCERT/CC JVNJapan Vulnerability NotesURL http://jvn.jp/ IPA 23 193 CSIRT 23 261 46 454 2007 6 1-1 1-5 45 36% 45 2006/4Q 2007/1Q 2007/2Q 41% 38% 36% 10 1120 2130 3145 46100 101200 201300 301 1-2 10 1-2 *1 1 1-2 *2 1 1-2 *3 1 2 (*3) 3 Java Web Start APOP CGI OS = IIICVSS =7.010.0 Java Java Web Start = IICVSS =4.06.9 APOP CGI OS JVN 2007 5 8 2007 4 19 2007 5 16 CVSS 7.0 4.0 5.6 7

4 5 6 (*2) 7 8 9 10 11 12 13 14 15 16 17 18 19 Plus Ver2 GOOUT open-gorotto InfoBarrier4 VB100 Lunascape RSS Advance-Flow Mozilla Firefox HP System Management Homepage Meneame ADPLAN dotproject Apache Tomcat Apache Tomcat Internet Explorer MHTML Internet Explorer MHTML Apache Tomcat Accept-Language = ICVSS =0.03.9 Plus PlusVer2 GOOUT open-gorotto InfoBarrier4 VB100 Lunascape RSS RSS HTML Advance-Flow Mozilla Firefox HTML HP HP System Management Homepage Meneame ADPLAN dotproject Java Apache Tomcat Web Application Manager Java Apache Tomcat jsp-examples Internet ExplorerMHTML Internet ExplorerMHTML Java Apache TomcatAccept-Language JVN 2007 4 16 2007 4 16 2007 4 17 2007 4 19 2007 4 25 2007 5 18 2007 6 1 2007 6 1 2007 6 4 2007 6 7 2007 6 14 2007 6 15 2007 6 15 2007 6 18 2007 6 18 2007 6 19 CVSS 1.9 3.7 1.9 1.9 1.9 8

20 21 22 23 HTTPD Hiki shttpd rktsns HTTPD Wiki Hiki shttpd rktsns JVN 2007 6 21 2007 6 25 2007 6 27 2007 6 27 CVSS (*2)(*3) 1 MIT Kerberos 5 GSS-API 2 MIT Kerberos 5 telnet deamon 3 MIT Kerberos 5 krb5_klog_syslog() 4 BIND (DoS) 5 Samba 6 Samba NDR MS-RPC 7 libpng (DoS) 8 RSA BSAFE Cert-C Crypto-C (DoS) 9 IPv6 Type0 10 11 Yahoo! Messenger Yahoo! Webcam view utilities ActiveX Yahoo! Messenger Yahoo! Webcam image upload ActiveX 1.9 12 JRE (Java Runtime Environment) 9

2-1 2-1 89 723 86 629 9 87 6 7 723 716 99% IPA 9 111 11 61 0 18 7 69 IPA 10

IPA 940 871 2-2 2-3 2-4 871 11

87 2-3 SQL 7 2-2 SQL Cookie 7 2-4 2007 3 2-5 2-6 53% 30 79% 90 90 2006/4Q 2007/1Q 2007/2Q 80% 81% 79% 12

http://www.ipa.go.jp/security/vuln/vuln_contents/ JPCERT/CC URLhttp://www.jpcert.or.jp/vh/ JVN IPA JPCERT/CC JVN IPAJPCERT/CC 13

1 2 3 4 5 6 7 1. SQL RFC 2 1 2 14

3 4 5 SQL SQL Cookie 6 DNS 7 8 9 10 HTTP 11 12 13 14 OS 15 DNS Cookie PC OS Cookie 15

16 HTTPS 17 HTTPS API : Application Program Interface DNS : Domain Name System CGI : Common Gateway Interface HTTP : Hypertext Transfer Protocol HTTPS : Hypertext Transfer Protocol Security ISAKMP : Internet Security Association Key Management Protocol MIME : Multipurpose Internet Mail Extension RFC: Request For Comments SQL : Structured Query Language SSI : Server Side Include SSL : Secure Socket Layer TCP : Transmission Control Protocol URI : Uniform Resource Identifier URL : Uniform Resource Locator 16