Search This Blog

Powered by Blogger.

Blog Archive

Labels

Alibaba Cloud Punished for Not Sharing Log4j Vulnerability First with the Government

The government has suspended its partnership with Alibaba for six months.

 

China’s Ministry of Industry and Information Technology (MIIT) has suspended its collaboration with Alibaba Cloud for six months to mark their protest after the company failed to inform the government regarding the discovery of Log4Shell vulnerability. 

Chen Zhaojun of Alibaba cloud security discovered the flaw and reported Apache Software Foundation (ASF), developer of Log4j, on November 24 regarding the critical flaw in the open-source software tool. But MIIT, China’s leading internet regulator, only became aware of the bug 15 days later on Dec. 9 via a cybersecurity report, likely not submitted by Alibaba.

Tracked as CVE-2021-44228, the vulnerability can be abused to gain full control over susceptible systems, and it has been exploited by both attackers and state-sponsored threat groups, likely even before an official patch was released on December 6.

According to the Chinese outlet, the 21st Century Herald, Chinese authorities were displeased with the fact that they were not informed first about the Log4j vulnerability. As a punishment, the MIIT, which has been operating a threat intelligence sharing platform since late 2019, said it would suspend its partnership with Alibaba Cloud for six months, after which it will reassess the firm’s corrective measures and suitability. 

"Recently, after discovering serious security vulnerabilities in the Apache Log4j2 component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management," the local media report said. 

A law passed this year in China makes it mandatory for all companies to report vulnerabilities to state regulators within two days. While security flaws can be revealed to the affected vendor, they cannot be sold or passed on to third parties outside of China. Additionally, the Cyberspace Administration of China disclosed a new set of laws that reclassified data and presented multiple sets of fines for violations of cybersecurity policy.

Earlier this year, Alibaba was hit with a record antitrust fine of 18.2 billion yuan, for violating government monopoly regulations. The Chinese State Administration described the firm’s behavior as having “eliminated and restricted competition in the online retail platform service market” as well as having “infringed on the business of the merchants on the platform.”
Share it:

Chinese Firm

Chinese Government

Cyber Security

Open Source Software