Chinese regulators suspend Alibaba Cloud over failure to report Log4j vulnerability
Chinese media outlets have reported that Alibaba Cloud is facing backlash from government regulators after they reported the Log4J vulnerability to Apache before the Ministry of Industry and Information Technology (MIIT).
21st Century Business Herald said local reporters were informed on Wednesday that the Cyber Security Administration of the MIIT was suspending its information-sharing partnership with Alibaba Cloud for six months, specifically citing the failure to report Log4J as the reason why.
Chen Zhaojun, a security engineer at Alibaba Cloud, was identified by Bloomberg News as the first person to discover the Log4J vulnerability and report it to Apache. Zhaojun told Apache on November 24 and a third party later informed the MIIT in a report on December 9, according to Reuters.
“Recently, after discovering serious security vulnerabilities in the Apache Log4j2 component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management,” the local media report said.
The Protocol noted that China recently put into effect a new law that makes it mandatory for all companies to report vulnerabilities to state regulators within two days.
The Chinese government has sought to get a better handle on cybersecurity and privacy in recent months, passing multiple laws and issuing warnings to major companies about the need to protect data shared outside of China.
Alibaba was hit with a record 18.2 billion yuan fine and 33 other mobile apps have faced criticism from Beijing for their data collection policies. Didi has faced a major cybersecurity review, while Alibaba and Tencent have come under government scrutiny in recent months as well.
In November, the Cyberspace Administration of China unveiled a new set of laws that reclassified data and laid out multiple sets of fines for violations of cybersecurity policy.