CVE-2017-10899 – This SQL injection vulnerability in A-Reserve a... (How to Fix)

Q: What is the severity of CVE-2017-10899?

CVE-2017-10899 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in A-Reserve and A-Reserve for MT cloud software allows attackers to execute arbitrary SQL commands on affected systems. Organizations using these products in vulnerable versions are at risk of data breaches and system compromise.

📋 TL;DR

This SQL injection vulnerability in A-Reserve and A-Reserve for MT cloud software allows attackers to execute arbitrary SQL commands on affected systems. Organizations using these products in vulnerable versions are at risk of data breaches and system compromise.

💻 Affected Systems

Products:

A-Reserve
A-Reserve for MT cloud

Versions: 3.8.6 and earlier

Operating Systems: Any OS running the software

Default Config Vulnerable: ⚠️ Yes

Notes: Cloud versions specifically mentioned, but likely affects on-premise installations with same version range.

📦 What is this software?

A Reserve by Ark Web

View all CVEs affecting A Reserve →

A Reserve by Ark Web

View all CVEs affecting A Reserve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized data access, modification, or deletion of reservation and customer information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection typically has low exploitation complexity, though specific vectors are unspecified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.8.7 or later

Vendor Advisory: https://jvn.jp/en/jp/JVN78501037/index.html

Restart Required: Yes

Instructions:

1. Backup current installation and database. 2. Download and install version 3.8.7 or later from vendor. 3. Restart application services. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation and parameterized queries at application layer

Database Permission Reduction

all

Limit database user permissions to minimum required for application functionality

🧯 If You Can't Patch

Implement web application firewall with SQL injection rules
Isolate affected systems from internet and restrict network access

🔍 How to Verify

Check if Vulnerable:

Check software version in admin interface or configuration files. If version is 3.8.6 or earlier, system is vulnerable.

Check Version:

Check application admin panel or configuration files for version information

Verify Fix Applied:

Confirm version is 3.8.7 or later and test application functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns
Multiple failed login attempts with SQL-like syntax
Database error messages in application logs

Network Indicators:

Unusual database connection patterns
SQL keywords in HTTP requests

SIEM Query:

source="web_logs" AND (url="*SELECT*" OR url="*UNION*" OR url="*INSERT*" OR url="*DELETE*")

📊 Metadata

CVE ID: CVE-2017-10899

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 1, 2017

Last Updated: April 20, 2025

🔗 References

https://jvn.jp/en/jp/JVN78501037/index.html Issue Tracking,Third Party Advisory,VDB Entry
https://jvn.jp/en/jp/JVN78501037/index.html Issue Tracking,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-10899, you might also want to check these: