China suspends a deal with Alibaba for not reporting the Log4j zero-day

Alibaba Group gets the six months suspension for failing to report the critical security flaw that affected a broadly used logging library

Information-sharing partnership with Alibaba suspended for 6 months due to failed report of Log4j

Ministry of Industry and Information Technology in China stopped the partnership with Alibaba Group.^[1] The cloud computing subsidiary of e-commerce failed to report the major security vulnerability Log4j promptly.^[2] The report should have been immediately issued, but the Apache open-source logging framework Log4j2 issues were not reported to the telecommunications regulators. News reports^[3] state:

In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.

The vulnerability with a CVSS score of 10 received the codename Log4Shell or LogJam created major issues and led to consequences all over the world.^[4] Malicious actors can remotely run any needed code and inject specially crafted strings logged in the software to achieve various activities.

Widespread exploitation and major consequences

The reports about multiple security vulnerabilities surfaced, and threat actors managed to take control of susceptible servers. The popularity of the library in various consumer and enterprise services, websites, applications, operational technology products created problems disrupting operations and performance.^[5]

Alibaba Cloud reported the flaw on November 24th and the cybersecurity investigations were held after that. Since then, three more flaws in Java-based tools got discovered. Apache Software Foundation had to ship a bunch of patches to control these widespread attacks where the security flaws can be exploited.

This vulnerability may cause the device to be remotely controlled, which will cause serious hazards such as theft of sensitive information and device service interruption.

Check Point also has blocked more than 4.3 million attempts to exploit the zero-day flaw. Analysis of incidents showed that 46% of these attacks were held by known threat actor groups. Attackers have made thousand of attempts to explore this severe flaw, and botnets, other malware got delivered using the security flaw. These issues might not stop since threat actors manage to take advantage of various security flaws, and this one is set at the top of the severity rate.

The suspension comes after disclosure regulations mandate

Chinese governments have released the new, more strict security vulnerability disclosure regulations a few months back. This release mandate software developers and networking vendors affected by these security incidents and critical flaws to report them first-hand to the particular authorities.

Zero-day vulnerabilities and other security flaws or bugs need to be reported to the government as soon as possible. The Cyberspace Administration of China expects to affect the issue reports and standardize the discovery, reporting, repair, and release of the critical cybersecurity flaws to prevent consequences and major attack risks.

The regulations also aimed to ensure that no organization o individual could take advantage of the network security flaws to endanger the security of the network. This includes illegal data collection, selling, or publishing sensitive data about the product's security or network.

These new rules also forbid selling previously unknown flaws. Experts try to forbid security flaws from being disclosed to individuals or organizations in other countries that are not related to manufacturing the product. Anything that is public disclosure need to be addressed at the same time as the recovery of network, repairs, or preventative measures.

It is the norm to notify vendors about such security vulnerabilities first, but China now wants to change this. The new law encourages companies to report these cybersecurity issues to the government before anything else.