China Regulators Suspend Alibaba Cloud Partnership Over Log4Shell Reporting

AltMachine writes: "Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address [the Log4Shell vulnerability]," reports Reuters, citing state-backed media reports. Alibaba Cloud recently discovered a major remote code execution vulnerability in the Apache Log4j2 component, notifying the U.S.-based Apache Software Foundation, but did not immediately report it to Ministry of Industry and Information Technology (MIIT,) China's telecommunications regulator.

MIIT said it then received a report from a third party about the issue (days after), rather than from Alibaba Cloud. "In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms, to be reassessed in six months and revived depending on the company's internal reforms," reports Reuters. According to Chinese laws, companies must report new vulnerabilities within 48 hours.

you forgot to change the subject

[Admiral Krunch]

Must be fake ;)

Re: in china

[Anonymouse Cowtard]

In America you have to do whatever the media, advertisers and celebrities tell you to do.

Re:

[crobarcro]

In America you have to do whatever the media, advertisers and celebrities tell you to do.

No, they might trick you into doing it, but that's very different from being jailed or disappeared.

Re:

[hackingbear]

No, they might trick you into doing it, but that's very different from being jailed or disappeared.

Really? [wikipedia.org]

Re:

[K. S. Kyosuke]

Media, advertisers, and celebrities did this?

Re: in china

[algaeman]

Kim Kardashian has been all over this log4j issue.

Re:

[Admiral Krunch]

In America you have to do whatever the media, advertisers and celebrities tell you to do.

No you mustn't do that at all. That's the worst thing you could do.

I know because I was told by the other sides media, advertisers and celebrities.

Lol, dumb government

[mysidia]

So you don't like that they reported a software issue to the vendor first.. so instead of raising an issue with their management and work with them, your reaction is to cut off their partnership to basically guarantee they don't share information with you down the road?

Re:

[mustafap]

Do you think your own government doesn't think the same?

Re:

[Virtucon]

So was the protocol to inform the MIIT and then Apache or did somebody just forget to CC on the email?
Is China saying that they don't want security vulnerabilities reported to the sponsoring/owning organization responsible for correcting them for the public good?
Man, you'd think they were looking for back doors or something.

Re: Lol, dumb government

[klipclop]

Yeah, it sounds like that to me as well. They're being punished for not disclosing it to the CCP so they could turn around and threaten Alibaba Cloud if they reported it to apache.

Re:

[AmiMoJo]

It's sad how paranoid people become when you mention the word "China".

The Chinese government has a law that says vulnerabilities like this must be reported to it. They didn't follow that law. It's very simple, no need to introduce conspiracy theories.

If you examine the last year's worth of CVEs, you will find that many of them were reported by Chinese nationals, often ones working for Chinese companies like Huawei and Alibaba.

Re:

[Anonymous Coward]

No. They didn't like it that they reported to the vendor and NEVER reported as law stated to the MIIT, and that the MIIT had to learn about the bug from a 3rd party instead. The law states that a person finding a bug has to report to MIIT and can but not obligated to the vendor.

Re:

[mysidia]

The law states that a person finding a bug has to report to MIIT and can but not obligated to the vendor.

No.. the regulations require vendors and operators - not individual security researchers report vulnerabilities to the state agencies and register their own vulnerability systems with the ministry - as a cloud provider they may be providing service to certain state entities with whom they must abide certain rules; There is not information here that Alibaba found the product they are providing is impa

Re:

[Admiral Krunch]

They already weren't sharing the information. What's the point of a partnership like that?

Re:

[mysidia]

They already weren't sharing the information. What's the point of a partnership like that?

Because they might share information about pertinent vulnerabilities they find in popular software they use if the partnership exist. There could be a multitude of reasons in that ranging from a mistake or inattentiveness by people who were sending the write-ups; all the way up to the most extreme - the reason they failed to "share" might well have been the government's own fault, if the government had made the

Re:

[Admiral Krunch]

So the biggest most dangerous vulnerability and they 'just forgot' to pass on the info...

Again. What's the point of a partnership like that?

Re:

[mysidia]

So the biggest most dangerous vulnerability and they 'just forgot' to pass on the info...

An unmerited assumption. They found a bug in an outside product that a 3rd party vendor (Apache) is responsible for in their capacity as a researcher - that any researcher experimenting with and considering using the library could have discovered. It's not been given that they discovered it by observing incidents of it being exploited against their network product causing an incident on their production network tha

Submitter is a wumao subtmitting CCP

[waspleg]

state propaganda. Even the most cursory look at their post history makes this blatantly obvious. Thanks for helping /. become a CCP mouthpiece BeauHD.

Re:

[Anonymous Coward]

What the fuck does this have to do with anything? Is there anything in the summary or in the linked reuters report that is propaganda?

Ad Hominem at best...

does Alibaba suddenly think its in the US

[hdyoung]

Where companies can withhold info from the government? Wtf are their executives thinking? The CCP has executed capitalists for less. They’ll be lucky if a bunch of their managers dont wind up on “vacation” where they drop out of sight for 18 months and then re-appear all contrite, communism-loving, and probably 25 pounds lighter.

What's Jack Ma up to these days?

[Virtucon]

Serious question what's Jack up to? Whatever he *is* doing will be abruptly halted and I suspect he'll be spending a few months missing again.

If Jack Ma would have farted in public

[Anonymous Coward]

they also would have suspended the partnership.
They are just looking for any reason to get control over these domestic threats to the PArty.

Wehrkraftzersetzung in Chinese

[HnT]

Iâ(TM)m surprised their response has taken this long. The alibaba cloud security engineer made the vulnerability known to the whole world instead of delivering it to the party silently, thereby robbing the CCP of the easiest hacking access to world wide IT infrastructure in years. I do not feel so confident about his social credit score and health.

Annoyed they didn't get a head start on exploiting

[zuckie13]

China is upset because by reporting it to Apache first, that meant the couldn't exploit it before the world knew about it.

Thanks Alibaba cloud for doing the right thing here.

all their work .. gone ..

[hebertrich]

Poor communist party .. their hacker's favourite backdoor now gone .. oifc China would have4 loved to be told first so they could bury the existence of the vul just a bit longer for yet one other database download ..

"According to Chinese laws, ...

[RitchCraft]

... companies must report new vulnerabilities within 48 hours.", so the CCP can take full advantage of those vulnerabilities to hack the free world. How dare this company not deliver on that!