China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months for failing to promptly report a critical security vulnerability affecting the broadly used Log4j logging library.
The development was reported by Reuters and South China Morning Post, citing a report from 21st Century Business Herald, a Chinese business-news daily newspaper.
“Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator,” Reuters said. “In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.”
Tracked as CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the catastrophic security shortcoming allows malicious actors to remotely execute code by getting a specially crafted string logged by the software.
Post the bug’s public disclosure, Log4Shell has been subjected to widespread exploitation by threat actors to take control of susceptible servers, thanks to the near-ubiquitous use of the library, which can be found in a variety of consumer and enterprise services, websites, and applications — as well as in operational technology products — that rely on it to log security and performance information.
Chen Zhaojun of Alibaba Cloud has been credited with reporting the flaw on November 24. Further investigation into Log4j by the cybersecurity community has since uncovered three more flaws in the Java-based tool, prompting the Apache Software Foundation (ASF) to ship a series of patches to contain real-world attacks exploiting the flaws.
Israeli security firm Check Point noted that it has blocked over 4.3 million exploitation attempts so far, with 46% of those intrusions made by known malicious groups. “This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption,” the MIIT had previously said in a public statement published on December 17.
The move also comes months after the Chinese government issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to disclose them first-hand to the government authorities mandatorily.
In September, the government also followed it up by launching “cyberspace security and vulnerability professional databases” for the reporting of security vulnerabilities in networks, mobile apps, industrial control systems, smart cars, IoT devices, and other internet products that could be targeted by threat actors.