tencent cloud

Web Application Firewall

Release Notes and Announcements

Product Announcement

Adjusting Billing of WAF BOT Traffic Management

Security Advisory

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)

Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)

Notice for WebLogic Console HTTP RCE Vulnerability

Notice for Exchange Server Command Execution Vulnerability

Notice for Yonyou GRP-U8 SQL Injection Vulnerability

Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)

Notice for WordPress File Manager Arbitrary Code Execution Vulnerability

Jenkins Security Advisory for September

Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)

Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)

Product Introduction

Product Category

Plans and Editions

Supported Regions

Purchase Guide

Billing Overview

Chinese Mainland

WAF Plan Upgrade Method

Renewing Connections

Payment Overdue

Getting Started

Getting Started

FAQs for Beginners

Operation Guide

SaaS WAF Connection

Step 1. Add a Domain Name

Step 2. Perform Local Testing

Step 3. Modify DNS Resolution

Step 4. Configure a Security Group

Step 5. Verify the Configuration

CLB WAF Connection

Step 1. Confirm CLB Configuration

Step 2. Bind Domain Name to CLB Instance

Step 3: Verify the configuration

Connect Via Instance Object

Cloud-Native Instance Object Access

Bot and Application Security

Bot Settings

Bot Management

Client Risk Identification

Bot Analytics

Threat Intelligence Module

Bot Flow Statistics Module

Action Settings

Bot Traffic Visibility

Bot Traffic Analysis

Bot Traffic Details

Asset Center

Instance Management

Domain Name List

Advanced Connection Feature

API Asset Management

Basic Security Configurations

IP Blocking Penalty

Region Blocking

CC Protection Rule Settings

Web Tamper Protection

Data Leakage Protection

API Security Management

API Traffic Analysis

Threat Operation

API Event Management

Bot Event Management

Blocklist/Allowlist Protection Settings

Precise Allowlist Management

Traffic Inspection

Statistics and Logs

Sandbox Isolation Status

Practical Tutorial

WAF CCP Overview

Bot Management

Best Practices of Scenario-Based Bot Configuration

Best Practices of Bot Traffic Management Connection

API Security

API Security Practice Tutorial

WAF Working with API Gateway

API Capacity Protection

API Data Security and Enhancement

API Exposure Management

API Behavior Control

Integration

Combined Application of WAF and Anti-DDoS Pro

Applying for and Using Free HTTPS Certificates

Obtaining Real Client IPs

Replacing Certificate

Protection Configuration

Setting CC Protection

Connecting Frontend-Backend Separated Site to WAF CAPTCHA

Setting WAF Exception Alarms in TCOP

API Documentation

Making API Requests

Request Structure

Asset Management APIs

DescribeDomains

Billing APIs

GenerateDealsAndPayNew

DescribeInstances

Protection Settings APIs

Other APIs

IP Management APIs

DeleteIpAccessControlV2

DescribeBatchIpAccessControl

DescribeIpAccessControl

CreateIpAccessControl

ModifyIpAccessControl

ImportIpAccessControl

Integration APIs

DescribeHostLimit

DescribeUserDomainInfo

DescribeCertificateVerifyResult

DescribeTlsVersion

ModifyHostFlowMode

ModifySpartaProtection

AddSpartaProtection

DescribeUserClbWafRegions

RefreshAccessCheckResult

DeleteSpartaProtection

DescribeCiphersDetail

DescribeDomainDetailsClb

DescribeDomainDetailsSaas

ModifyDomainIpv6Status

DescribeVipInfo

Log Service APIs

GetAttackHistogram

GetAttackTotalCount

ModifyDomainPostAction

SearchAttackLog

Security Overview APIs

DescribeAttackType

DescribeHistogram

DescribePeakPoints

DescribePolicyStatus

DescribeTopAttackDomain

DescribeAttackOverview

FAQS

Product Consultation

Connection

Associated Product

Service Level Agreement

WAF Policy

Data Processing And Security Agreement

DocumentationWeb Application FirewallRelease Notes and Announcements Security AdvisoryNotice for Yonyou GRP-U8 SQL Injection Vulnerability

Notice for Yonyou GRP-U8 SQL Injection Vulnerability

Last updated: 2022-06-23 11:14:26

Notice for Yonyou GRP-U8 SQL Injection Vulnerability

Last updated: 2022-06-23 11:14:26

On September 11, 2020, Tencent Security noticed a SQL injection vulnerability in Yonyou GRP-U8 internal control and management software for government affairs. Attackers can use a carefully constructed payload to perform SQL injection attacks in order to get sensitive database information.
Exploitations in the wild (ITW) have been detected, and Tencent Cloud WAF supports defense against them. 
Vulnerability Details
Attackers can use a carefully constructed payload to perform SQL injection attacks in order to get sensitive database information, and Tencent Cloud WAF currently supports defense against them. 
Affected Versions
Yonyou GRP-U8 internal control and management software for government affairs.
Suggestions for Fix
According to the vulnerability advisory, there is currently no official update. Tencent Security recommends you:
Restrain exposing the software to the public network due to its sensitivity or use an allowlist policy.
Use WAF to detect and block attacks.
References
CNVD-2020-49261
Yonyou Gov website

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

No

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

7x24 Phone Support