China’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend a cybersecurity threat intelligence partnership with Alibaba Cloud for failing to first report to the government a critical vulnerability in Apache’s Log4j software, according to a report from a Chinese business-news daily newspaper 21st Century Business Herald.
MIIT, which has been running a threat intelligence sharing platform since late 2019, is suspending the deal with Alibaba Cloud, Alibaba Group Holding’s cloud computing services unit, for six months because the company did not immediately report a critical vulnerability (Log4Shell) in Apache Log4j software library, which caused quite a stir in the cybersecurity community at the beginning of December.
After six months, the ministry would reassess whether to resume the partnership with Alibaba, based on measures the company has taken to address the issue, according to the Alibaba-owned news outlet South China Morning Post.
Log4Shell (CVE-2021-44228) came to light after Alibaba’s cloud security team researcher Chen Zhaojun alerted the Apache Software Foundation (ASF) about the flaw on November 24.
Under a regulation passed this year, Chinese companies are required to report vulnerabilities in the their own software to the MIIT through its National Vulnerability Database website, although South China Morning Post clarifies that the Internet Product Security Loophole Management Regulation only “encourages” companies to report bugs found in others’ software.
Since the disclosure of Log4Shell, multiple threat actors were quick to incorporate the flaw into their attacks. Furthermore, among hacker groups that have been observed exploiting the vulnerability security researchers have seen malicious actors believed to be working on behalf of the Chinese government.