Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report
China’s Ministry of Industry and Information Technology (MIIT) said it will temporarily suspend its collaboration with Alibaba Cloud as a cyber threat intelligence partner due to the fact that the company did not inform the government first about the discovery of the Log4Shell vulnerability, according to local media reports.
The developers of Log4j were informed in late November by Alibaba’s cloud security team that the widely used logging utility had been affected by a critical vulnerability, which would later become known as Log4Shell and LogJam.
Officially tracked as CVE-2021-44228, the flaw can be exploited to gain complete control over vulnerable systems, and it has been exploited by both cybercriminals and state-sponsored threat groups, likely even before an official patch was released on December 6.
According to the South China Morning Post, which is owned by Alibaba, the Chinese government is displeased with the fact that it was not informed first about the Log4j vulnerability. As a result, the MIIT, which has been running a threat intelligence sharing platform since late 2019, said it would suspend work with Alibaba Cloud for six months, after which it will reassess whether the partnership should be resumed.
The publication, which cited local media reports, said the MIIT’s decision could have a negative impact on Alibaba’s business prospects.
A law passed this year in China requires all Chinese citizens who find zero-day vulnerabilities to pass the details to the government. While security flaws can be disclosed to the affected vendor, they cannot be sold or passed on to third-parties outside of China.
However, the South China Morning Post clarified that Chinese companies are obligated to inform the government about vulnerabilities found in their own software, but companies are only “encouraged” to report flaws identified in other vendors’ products.
SecurityWeek has reached out to Alibaba for comment and will update this article if the tech giant responds.
It’s worth noting that among the groups that have been observed exploiting Log4Shell in their attacks, cybersecurity researchers have seen threat actors that are believed to be sponsored by the Chinese government.
The Belgian military this week confirmed a data breach resulting from Log4Shell exploitation, making it the first government organization to officially admit being hit by a Log4Shell attack.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to mitigate the Log4j vulnerabilities by December 23.
In the meantime, more Log4j vulnerabilities have come to light. The latest is a high-severity denial-of-service flaw patched over the weekend with the release of version 2.17.0.