Alibaba Suffers Government Crackdown Over Log4j

Chinese tech giant Alibaba has reportedly been shunned by China’s top tech regulator for failing to report the infamous Log4j vulnerability quickly enough.

Local media claimed that the firm’s Alibaba Cloud business, which has a large team of security researchers, failed to report the issue to the Ministry of Industry and Information Technology (MIIT).

According to news site Protocol, a Chinese regulation dubbed Provisions on Security Loopholes of Network Products was in force as of September. It mandates vulnerabilities be reported immediately to the manufacturer and within two days to the Chinese authorities.

As a result, Alibaba Cloud has reportedly been suspended from MIIT’s threat information sharing platform for six months.

Alibaba Cloud researcher Chen Zhaojun is credited by Apache with finding the first bug in the popular logging utility, dubbed “Log4Shell.”

It was given a CVSS score of 10.0, with commentators describing it as a “worst-case scenario” because the utility is near-ubiquitous in enterprises, can be hard to find, and the bug is relatively easy to exploit.

Chen reportedly notified Apache on November 24, but MIIT only became aware of it on December 9.

Research from several years ago claimed that China’s National Vulnerability Database (CNNVD) is faster at updating with the latest CVEs than the US equivalent (NVD).

However, the researchers later found that this was down to government manipulation.

On further investigation, they found that the Chinese authorities tried to backdate original publication dates for vulnerabilities to disguise their own work to exploit these bugs in state-backed attacks.

Recorded Future argued that the CNNVD is essentially a “shell” for the government’s fearsome Ministry of State Security (MSS), a prodigious hacker of foreign entities.

“This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilizing, and limit the methods researchers can use to anticipate Chinese APT behavior,” the firm said at the time.

“There is no other logical explanation as to why only the initial publication dates for outlier CVEs would have been altered.”

The latest action against Alibaba could also be viewed as part of a recent Communist Party crackdown on big tech, which has cost investors trillions.

What’s Hot on Infosecurity Magazine?