23 December 2021

Chinese authorities suspend deal with Alibaba for failing to report Log4j flaw to government first


Chinese authorities suspend deal with Alibaba for failing to report Log4j flaw to government first

China’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend a cybersecurity threat intelligence partnership with Alibaba Cloud for failing to first report to the government a critical vulnerability in Apache’s Log4j software, according to a report from a Chinese business-news daily newspaper 21st Century Business Herald.

MIIT, which has been running a threat intelligence sharing platform since late 2019, is suspending the deal with Alibaba Cloud, Alibaba Group Holding’s cloud computing services unit, for six months because the company did not immediately report a critical vulnerability (Log4Shell) in Apache Log4j software library, which caused quite a stir in the cybersecurity community at the beginning of December.

After six months, the ministry would reassess whether to resume the partnership with Alibaba, based on measures the company has taken to address the issue, according to the Alibaba-owned news outlet South China Morning Post.

Log4Shell (CVE-2021-44228) came to light after Alibaba’s cloud security team researcher Chen Zhaojun alerted the Apache Software Foundation (ASF) about the flaw on November 24.

Under a regulation passed this year, Chinese companies are required to report vulnerabilities in the their own software to the MIIT through its National Vulnerability Database website, although South China Morning Post clarifies that the Internet Product Security Loophole Management Regulation only “encourages” companies to report bugs found in others’ software.

Since the disclosure of Log4Shell, multiple threat actors were quick to incorporate the flaw into their attacks. Furthermore, among hacker groups that have been observed exploiting the vulnerability security researchers have seen malicious actors believed to be working on behalf of the Chinese government.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021