News

Alibaba should have reported Log4J breach to China sooner

The Chinese government is kicking cloud provider Alibaba off a security panel for failing to report the Log4j vulnerability to the agency in a timely manner. According to media reports, the company’s membership on the Ministry of Industry and Information Technology (MIIT) security panel has been revoked for six months.

Log4J: Alibaba did not report breach immediately

The Chinese government is pissed, chastising the Alibaba Cloud for its casual handling of the currently prevalent Log4j security vulnerability. In the process, the provider will be stripped of its seat on the Ministry of Industry and Information Technology (MIIT) security panel for a period of six months.

According to the website ZDnet, the Chinese government’s main criticism is that a report to the ministry was not made in time. According to the report, Alibaba had informed the Apache Software Foundation – which maintains the Log4j tool – on November 24, 2021, but not the MIIT. The latter is said to have learned of the security vulnerability only a few days later through third parties.

New security vulnerability reporting law

According to a report in the South China Morning Post newspaper, a new law is coming into effect that requires companies to report security vulnerabilities to the Chinese government. It also says this must be done within 48 hours. This is intended to encourage companies to report potential and acute security vulnerabilities to the government first.

However, the Chinese government is not always interested in closing the corresponding gap as quickly as possible, as it can be used by intelligence services, for example.

There is therefore still a window of time between the reporting of a security vulnerability and the actual patching, during which secret services can continue to exploit it. This was already heavily criticized in the case of the Proxylogon security flaw in Microsoft’s Exchange e-mail server software.

At the time, security companies and government agencies were informed about the vulnerability in advance. There is also speculation that intelligence agencies such as the NSA also received advance information. The vulnerability was then exploited excessively before a patch was released to close it.

Because of the current Log4J vulnerability, the German Federal Office for Information Security (BSI) has currently issued the highest warning level “4/Red”.

Simon Lüthje

I am co-founder of this blog and am very interested in everything that has to do with technology, but I also like to play games. I was born in Hamburg, but now I live in Bad Segeberg.

Related Articles

Neue Antworten laden...

Avatar of Basic Tutorials
Basic Tutorials

Neues Mitglied

2,860 Beiträge 1,245 Likes

The Chinese government is kicking cloud provider Alibaba off a security panel for failing to report the Log4j vulnerability to the agency in a timely manner. According to media reports, the company’s membership on the Ministry of Industry and Information Technology (MIIT) security panel has been revoked for six months. Log4J: Alibaba did not report … (Weiterlesen...)

Antworten Like

Back to top button