Serious Vulnerability Leads to Suspension for Alibaba Cloud by Ministry of Industry and Information Technology of China
On Wednesday, according to 21st Century Business Herald, the Cyber Security Administration of the Ministry of Industry and Information Technology reported that Alibaba Cloud Computing Co., Ltd. (Alibaba Cloud) failed to report to the telecommunications authorities in time after the discovery of a serious security vulnerability of the Apache Log4j2 component.
The failure to report the vulnerability means that the company has failed to effectively support the Ministry of Industry and Information Technology in their efforts to carry out the management of network security threats and vulnerabilities.
According to the report, the Apache Log4j2 component is an open source logging framework based on Java, which is widely used in business system development. The unreported vulnerability may lead to the ability to remotely take control of equipment and could even lead to serious hazards such as the theft of sensitive information and interruption of equipment service.
These issues are considered high-risk vulnerabilities by the Ministry. As the cooperative unit of the cyber security threat information sharing platform of the Ministry of Industry and Information Technology, Alibaba Cloud failed to report this significant vulnerability in time after first discovering it.
After discussion, the Cyber Security Administration of the Ministry of Industry and Information Technology decided to suspend Alibaba Cloud as the cooperative unit for six months. After that, according to Alibaba Cloud’s rectification, it will consider to restore the company’s qualification.
On November 24, a programmer of Alibaba Cloud discovered the vulnerability that might be “the biggest one in computer history” and disclosed it to the Apache Software Foundation. But Alibaba Cloud didn’t inform the Ministry of Industry and Information Technology of China in time.
Subsequently, the official computer emergency response teams of Austria and New Zealand took the lead in warning of this vulnerability, while the Ministry of Industry and Information Technology of China didn’t discover that there was a serious security vulnerability in the Apache Log4j2 component until it received a report from the cyber security organization.
According to national regulations, network product providers should submit relevant vulnerability information to the Ministry of Industry and Information Technology within two days. But the Ministry of Industry and Information Technology discovered the vulnerability on December 9, fifteen days after Alibaba Cloud had first discovered it.
On September 1 this year, the cyber security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology organized by the Cyber Security Administration of the Ministry of Industry and Information Technology was officially put into operation.
The platform includes four professional banks of security vulnerabilities, namely, general network products, industrial control products, mobile Internet APP products and car networking products. It supports the technical evaluation of network product security vulnerabilities, and urges network product providers to repair and reasonably release their own product security vulnerabilities in time.