The Ministry of Industry and Information Technology of China has suspended Alibaba Cloud’s membership in an influential security committee to protest its handling of the Log4j vulnerability.
This is strange because the Apache Software Foundation Credit Alibaba Cloud Chen Zhaojun first identified and reported the Log4J vulnerability. You might think that Alibaba Cloud should show its talents by identifying dangerous flaws and show that Chinese bug hunters can compare it to the best bugs in the world.
But according to Chinese media reports Pioneers of the 21st Century, The Chinese authorities are dissatisfied with the cloud giant’s response.
The media reported that Alibaba was outraged for failing to report security vulnerabilities to the Ministry of Industry and Information Technology in a timely manner, and for failing to effectively support the Ministry of Industry and Information Technology’s cybersecurity threats and vulnerability management efforts.
As a punishment, the ministry suspended Alibaba Cloud’s position on its security committee for six months. After six months, the Ministry of Commerce will re-evaluate Alibaba Cloud’s rectification measures and applicability.
Register The document referred to by the Herald has not been found. Neither the Ministry of Industry and Information Technology nor Alibaba issued a public statement on the decision, so we have no knowledge of Beijing’s reasoning.
However, we can speculate.
We are aware that this bug was reported to the Apache Foundation on November 24th.
Log4j Incident Timeline of Cisco Talos Security Team state News of the vulnerability was leaked to GitHub on November 30.
Talosand Cloudflare reported that they detected the exploit of the vulnerability before the vulnerability was disclosed and fixed it once on December 1st and December 2nd.
It is not clear how the authors of these exploits learned of the vulnerability.
Another piece of evidence is a self-deleted tweet in the account using the handle @P0rZ9, date It made its debut a dozen hours before the Apache Foundation released the patch on December 10.
GitHub posts deleted after December 9th were published by Alibaba staff and are also suspected of being published before the patch. Wayback Machine retained the post here.
If Alibaba employees are the source of GitHub’s leak, Beijing may want to punish the company for the mistake.
Or Alibaba does not meet local reporting requirements. Chinese companies are required to report vulnerabilities in their software to the MIT National Vulnerability Database website within two days. Alibaba Cloud is likely to have many Log4j’s own systems and customer cloud drilling rigs. Regulations on Network Product Security VulnerabilitiesEffective in September, Chinese companies are encouraged to report bugs in other software.
The most terrifying possible reason for Alibaba’s punishment may be Beijing’s irritation that the company reported the vulnerability to Apache, thereby denying China’s zero-day exploit with great potential for attack. ®
