Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Cloud Security

China Regulators Suspend Alibaba Cloud Partnership Over Log4Shell Reporting (reuters.com) 29

AltMachine writes: "Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address [the Log4Shell vulnerability]," reports Reuters, citing state-backed media reports. Alibaba Cloud recently discovered a major remote code execution vulnerability in the Apache Log4j2 component, notifying the U.S.-based Apache Software Foundation, but did not immediately report it to Ministry of Industry and Information Technology (MIIT,) China's telecommunications regulator.

MIIT said it then received a report from a third party about the issue (days after), rather than from Alibaba Cloud. "In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms, to be reassessed in six months and revived depending on the company's internal reforms," reports Reuters. According to Chinese laws, companies must report new vulnerabilities within 48 hours.

This discussion has been archived. No new comments can be posted.

China Regulators Suspend Alibaba Cloud Partnership Over Log4Shell Reporting

Comments Filter:
  • So you don't like that they reported a software issue to the vendor first.. so instead of raising an issue with their management and work with them, your reaction is to cut off their partnership to basically guarantee they don't share information with you down the road?

    • Do you think your own government doesn't think the same?

    • So was the protocol to inform the MIIT and then Apache or did somebody just forget to CC on the email?
      Is China saying that they don't want security vulnerabilities reported to the sponsoring/owning organization responsible for correcting them for the public good?
      Man, you'd think they were looking for back doors or something.

      • Yeah, it sounds like that to me as well. They're being punished for not disclosing it to the CCP so they could turn around and threaten Alibaba Cloud if they reported it to apache.
        • by AmiMoJo ( 196126 )

          It's sad how paranoid people become when you mention the word "China".

          The Chinese government has a law that says vulnerabilities like this must be reported to it. They didn't follow that law. It's very simple, no need to introduce conspiracy theories.

          If you examine the last year's worth of CVEs, you will find that many of them were reported by Chinese nationals, often ones working for Chinese companies like Huawei and Alibaba.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      No. They didn't like it that they reported to the vendor and NEVER reported as law stated to the MIIT, and that the MIIT had to learn about the bug from a 3rd party instead. The law states that a person finding a bug has to report to MIIT and can but not obligated to the vendor.

      • by mysidia ( 191772 )

        The law states that a person finding a bug has to report to MIIT and can but not obligated to the vendor.

        No.. the regulations require vendors and operators - not individual security researchers report vulnerabilities to the state agencies and register their own vulnerability systems with the ministry - as a cloud provider they may be providing service to certain state entities with whom they must abide certain rules; There is not information here that Alibaba found the product they are providing is impa

    • They already weren't sharing the information. What's the point of a partnership like that?
      • by mysidia ( 191772 )

        They already weren't sharing the information. What's the point of a partnership like that?

        Because they might share information about pertinent vulnerabilities they find in popular software they use if the partnership exist. There could be a multitude of reasons in that ranging from a mistake or inattentiveness by people who were sending the write-ups; all the way up to the most extreme - the reason they failed to "share" might well have been the government's own fault, if the government had made the

        • So the biggest most dangerous vulnerability and they 'just forgot' to pass on the info...

          Again. What's the point of a partnership like that?

          • by mysidia ( 191772 )

            So the biggest most dangerous vulnerability and they 'just forgot' to pass on the info...

            An unmerited assumption. They found a bug in an outside product that a 3rd party vendor (Apache) is responsible for in their capacity as a researcher - that any researcher experimenting with and considering using the library could have discovered. It's not been given that they discovered it by observing incidents of it being exploited against their network product causing an incident on their production network tha

  • state propaganda. Even the most cursory look at their post history makes this blatantly obvious. Thanks for helping /. become a CCP mouthpiece BeauHD.

    • by Anonymous Coward

      What the fuck does this have to do with anything? Is there anything in the summary or in the linked reuters report that is propaganda?

      Ad Hominem at best...

  • Where companies can withhold info from the government? Wtf are their executives thinking? The CCP has executed capitalists for less. They’ll be lucky if a bunch of their managers dont wind up on “vacation” where they drop out of sight for 18 months and then re-appear all contrite, communism-loving, and probably 25 pounds lighter.
  • Serious question what's Jack up to? Whatever he *is* doing will be abruptly halted and I suspect he'll be spending a few months missing again.

  • by Anonymous Coward

    they also would have suspended the partnership.
    They are just looking for any reason to get control over these domestic threats to the PArty.

  • by HnT ( 306652 ) on Thursday December 23, 2021 @09:05AM (#62108973)

    Iâ(TM)m surprised their response has taken this long. The alibaba cloud security engineer made the vulnerability known to the whole world instead of delivering it to the party silently, thereby robbing the CCP of the easiest hacking access to world wide IT infrastructure in years. I do not feel so confident about his social credit score and health.

  • China is upset because by reporting it to Apache first, that meant the couldn't exploit it before the world knew about it.

    Thanks Alibaba cloud for doing the right thing here.

  • by hebertrich ( 472331 ) on Thursday December 23, 2021 @09:51AM (#62109057)

    Poor communist party .. their hacker's favourite backdoor now gone .. oifc China would have4 loved to be told first so they could bury the existence of the vul just a bit longer for yet one other database download ..

  • ... companies must report new vulnerabilities within 48 hours.", so the CCP can take full advantage of those vulnerabilities to hack the free world. How dare this company not deliver on that!

...though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"

Working...