Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first

The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.

Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.

The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.

The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.

The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google and Microsoft.

The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.