Linux Bugs

Alibaba Cloud struggling with Beijing over Log4J announcement • The Register

China’s Ministry of Industry and Information Technology has suspended Alibaba Cloud’s membership in an influential security council to protest its handling of the Log4j flaw.

The move seems strange like The Apache Software Foundation credited Chen Zhaojun of Alibaba Cloud identified and reported the Log4J flaw in the first place. You might think Alibaba Cloud deserves a parade to identify a dangerous flaw and show that Chinese bug hunters can match it with the best in the world.

But according to the Chinese point of sale The herald of the 21st century, Chinese authorities were unhappy with the cloud giant’s response.

The outlet reported that Alibaba aroused anger for failing to report security vulnerabilities to MIIT in a timely manner and for effectively supporting the ministry’s network security threat and vulnerability management efforts.

As punishment, the ministry suspended Alibaba Cloud’s post on its security board for six months. After six months, the ministry will reassess Alibaba Cloud’s corrective actions and suitability.

The register was unable to find the document the herald referred to, and neither MIIT nor Alibaba have issued any public statements on the decision, so we are in the dark about Beijing’s reasoning.

However, we can speculate.

We know the bug was reported to the Apache Foundation on November 24.

Chronology of the Log4j incident by Cisco’s Talos security team States News of the flaw leaked to GitHub on November 30.

Talos and Cloudflare both reported that they detected exploits of the bug in the wild before it was disclosed, and fixed, once on December 1 and again on December 2.

It is not known exactly how the perpetrators of these exploits learned of the bug.

Another piece of evidence, a tweet deleted from an account using the handle @ P0rZ9, was dated as debuting a dozen hours before the Apache Foundation released its patch on December 10.

A GitHub post deleted since December 9, written by an Alibaba staff member, is also believed to have been released prior to the patch. The Wayback Machine retained the post here.

If Alibaba employees were the source of the GitHub leak, Beijing might want to punish the company for the mistake.

Or maybe Alibaba didn’t meet local reporting requirements. Chinese companies are required to report vulnerabilities in their own software to MIT’s National Vulnerability Database website within two days, and Alibaba Cloud is likely to have a lot of Log4j, its own systems and software. cloudy platforms of its customers. Network Product Security Vulnerability Provisions, which went into effect in September, encourages Chinese companies to report bugs in other software.

The scariest possible reason Alibaba was punished is that Beijing is upset that the company reported the flaw to Apache, denying China a zero-day exploit that had enormous offensive potential. ®

Source link