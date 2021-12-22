China’s Internet regulator, the Ministry of Industry and Information Technology (MIIT), has suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months to failing to promptly report a critical security vulnerability affecting the widely used Log4j logging library.

The development was reported by Reuters and South China Morning Post, citing a report from the 21st Century Business Herald, a Chinese economic news daily.

“Alibaba Cloud did not immediately report vulnerabilities in the popular open-source logging framework Apache Log4j2 to the Chinese telecommunications regulator,” Reuters said. “In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information sharing platforms.”

Traced as CVE-2021-44228 (CVSS score: 10.0) and codenamed Log4Shell or LogJam, the catastrophic security flaw allows malicious actors to execute code remotely by obtaining a specially crafted string. recorded by the software.

Following the public disclosure of the bug, Log4Shell was subjected to widespread exploitation by threat actors to gain control of sensitive servers, through near ubiquitous use of the library, which can be found in a variety of large services. public and enterprise, websites and applications – as well as operational technology products – that depend on them to log security and performance information.

Chen Zhaojun of Alibaba Cloud was credited with reporting the breach on November 24. Further investigation of Log4j by the cybersecurity community has since uncovered three more flaws in the Java tool, prompting the Apache Software Foundation (ASF) to ship a series of fixes to contain real-world attacks exploiting the flaws.

Israeli security firm Check Point said it has blocked more than 4.3 million exploitation attempts so far, 46% of which were by known malicious groups. “This vulnerability can cause the device to be remotely controlled, which will lead to serious risks such as the theft of sensitive information and the disruption of service from the device,” MIIT previously said in a published public statement. December 17th.

The move also comes months after the Chinese government issued new, more stringent vulnerability disclosure regulations that require software and network vendors affected by critical vulnerabilities to disclose them firsthand to government authorities.

In September, the government also followed up by launching “professional cyberspace security and vulnerability databases” for reporting security vulnerabilities in networks, mobile applications, industrial control systems, smart cars. , IoT devices and other Internet products that could be targeted by threat actors.