The Ministry of Industry and Information Technology (MIIT) of China temporarily suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of the world’s largest e-commerce company, for six months after the company failed to promptly notify the government about a critical security vulnerability affecting the widely used Log4j logging library.
Reports from 21st Century Business Herald, a Chinese daily business newspaper, revealed the development to Reuters and South China Morning Post.
China’s telecommunications regulator did not receive an immediate report from Alibaba Cloud about vulnerabilities in the open-source logging framework Apache Log4j2. The MIIT stopped a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.” CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the vulnerability allows malicious actors to remotely execute code by getting a specially crafted string logged by the software.
After the bug’s public disclosure, Log4Shell has been abused by threat actors to gain control of vulnerable servers. This is due to the near-ubiquitous use of the library, which can be found in a variety of consumer and enterprise services, websites, and applications, as well as in operational technology products, which depend on it to log security and performance information.
On November 24, Chen Zhaojun of Alibaba’s cloud security team sent an email alerting the Apache Software Foundation (ASF) about the flaw, saying “it has a major impact.” However, just as the fix was being implemented, details of the flaw were shared on an unidentified Chinese blogging platform on December 8, sending the Apache team scrambling to release a patch.
In the ensuing days, further investigations into Log4j by the cybersecurity community uncovered three more vulnerabilities, prompting the project maintainers to ship security updates to prevent real-world attacks exploiting the flaws.
Israeli security firm Check Point reports that it has blocked over 4.3 million exploitation attempts so far, with 46% of those attempts made by known malicious groups. “This vulnerability may lead to remote control of the device, leading to serious risks such as theft of sensitive information and device interruptions,” the MIIT had previously said in a public statement published on December 17.
Earlier this year, the Chinese government issued new stricter vulnerability disclosure regulations that require software and networking vendors affected by critical flaws to notify government authorities right away.
The government also launched “cybersecurity and vulnerability professional databases” in September for the reporting of security vulnerabilities in networks, mobile apps, industrial control systems, smart cars, IoT devices, and other internet products that could be targeted by malicious actors.