Alibaba Cloud disciplined for not reporting Log4j bug to Tiongland garhmen 1st

orhneeorh

orhneeorh

Banned
Joined
Jul 10, 2020
Messages
26,370
Reaction score
9,597
https://www.scmp.com/tech/big-tech/...-cloud?module=lead_hero_story&pgtype=homepage
China’s internet security regulator has disciplined Alibaba Group Holding’s cloud computing services unit for failing to first report to the government a critical vulnerability in Apache’s Log4j software that has alarmed the cybersecurity community, Chinese media reported on Wednesday.

The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.

Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.
 
orhneeorh

orhneeorh

Banned
Joined
Jul 10, 2020
Messages
26,370
Reaction score
9,597
The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.

The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.

The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google and Microsoft.

The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.

According to a regulation passed this year, Chinese companies are obliged to report vulnerabilities in their own software to the MIIT through its National Vulnerability Database website. However, the Internet Product Security Loophole Management Regulation, which went into effect in September, only “encourages” companies to report bugs found in others’ software.

The MIIT cybersecurity management bureau released a statement on December 9 saying it was notified about the vulnerability by “relevant” cybersecurity institutions. The ministry summoned Alibaba Cloud and other cybersecurity firms to discuss the situation, it said. It also urged companies and the public to monitor for updates to patch their systems.

Cybersecurity industry norms encourage notifying vendors of security flaws first, giving them ample time to address the problem, before disclosing the issue to the public. Apache released a patch for the Log4j bug on December 6, three days before public disclosure.

Still, the effect of the bug’s discovery is expected to be wide-ranging because of Log4j’s ubiquity. Many people may not even be aware that their systems are compromised.

The exploit, known as Log4Shell, allows hackers to remotely execute code by getting it logged by the software. This became a problem in the Java edition of Microsoft’s game Minecraft, for example, allowing players’ to compromise others’ systems by sending malicious code through chat messages.

Cybersecurity experts on Twitter have commended the Alibaba Cloud engineer for responsibly disclosing the vulnerability directly to the tool’s developers.

Since the bug’s public disclosure, cybersecurity experts have warned of an increase in activity scanning for Log4j on vulnerable systems. Microsoft said on December 11 that it found that state actors connected with China, Iran, North Korea and Turkey have been both experimenting and exploiting the vulnerability.
 
Last edited:
needhelpbadlynow

needhelpbadlynow

High Supremacy Member
Joined
May 22, 2017
Messages
33,666
Reaction score
9,729
why they need to patch? they are behind the wall de ma. :ROFLMAO: so long their wall don't break can le. 🤭 tiongs want to climb over the wall also no easy de. those that can climb over the wall are CCPee de lo.

tiong can play minecraft de ma? :LOL:
 
PetKat

PetKat

Banned
Joined
Nov 1, 2021
Messages
6,987
Reaction score
3,857
jack ma basically no positing in baba anymore...

then baba now focusing on overseas growth

ccp really wanna play them liao
 
You must log in or register to reply here.
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top