China’s Ministry of Industry and Information Technology (MIIT) temporarily suspended a partnership with Alibaba Cloud, the cloud computing arm of the world’s largest e-commerce company, for six months after the company failed to promptly notify the government of a critical security vulnerability. affecting the widely used Log4j logging library.
Reports from the 21st Century Business Herald, a Chinese business daily, revealed the development to Reuters and the South China Morning Post.
China’s telecom regulator did not receive an immediate report from Alibaba Cloud on vulnerabilities in the open source logging framework Apache Log4j2. MIIT has ended a cooperative partnership with the cloud unit regarding cybersecurity threats and information sharing platforms. CVE-2021-44228 (CVSS score: 10.0) and named Log4Shell or LogJam, the vulnerability allows malicious actors to execute code remotely by obtaining a specially crafted string recorded by the software.
After the bug was publicly disclosed, Log4Shell was exploited by malicious actors to take control of vulnerable servers. This is due to the library’s near-ubiquitous use, found in a variety of consumer and enterprise services, websites, and applications, as well as operational technology products, which rely on it for record security and performance information.
On November 24, Chen Zhaojun of Alibaba’s cloud security team sent an email alerting the Apache Software Foundation (ASF) to the flaw, saying “this has a major impact.” However, just as the patch was being implemented, details of the flaw were shared on an unidentified Chinese blogging platform on December 8, forcing the Apache team to scramble to release a patch.
In the days that followed, further investigation of Log4j by the cybersecurity community revealed three more vulnerabilities, prompting project managers to provide security updates to prevent real-world attacks exploiting these flaws.
Israeli security firm Check Point reports that it has blocked more than 4.3 million exploitation attempts so far, 46% of which came from known malicious groups. “This vulnerability can lead to remote control of the device, resulting in serious risks such as theft of sensitive information and interruptions of the device,” MIIT previously said in a public statement issued on December 17.
Earlier this year, the Chinese government issued new, stricter vulnerability disclosure regulations, requiring software and network vendors affected by critical flaws to immediately notify government authorities.
The government also launched “professional cybersecurity and vulnerability databases” in September to report security vulnerabilities in networks, mobile applications, industrial control systems, smart cars, IoT devices and other products. Internet that could be targeted by malicious actors.