China’s Ministry of Industry and Information Technology temporarily suspend its collaboration with Alibaba Cloud as a cyber threat intelligence partner due to the fact that the company did not inform the government first about the discovery of the Log4Shell vulnerability.
The developers of Log4j were informed in late November by Alibaba’s cloud security team that the widely used logging utility had been affected by a critical vulnerability, which would later become known as Log4Shell and LogJam.
Officially tracked as CVE-2021-44228, the flaw can be exploited to gain complete control over vulnerable systems, and it has been exploited by both cybercriminals and state-sponsored threat groups, likely even before an official patch was released.
The Chinese government is displeased with the fact that it was not informed first about the Log4j vulnerability. As a result, the MIIT, which has been running a threat intelligence sharing platform since late 2019, said it would suspend work with Alibaba Cloud for six months, after which it will reassess whether the partnership should be resumed. This MIIT’s decision could have a negative impact on Alibaba’s business prospects.
A law passed this year in China requires all Chinese citizens who find zero-day vulnerabilities to pass the details to the government. While security flaws can be disclosed to the affected vendor, they cannot be sold or passed on to third-parties outside of China.
The chinese companies are obligated to inform the government about vulnerabilities found in their own software, but companies are only “encouraged” to report flaws identified in other vendors’ products.
It’s worth noting that among the groups that have been observed exploiting Log4Shell in their attacks, cybersecurity researchers have seen threat actors that are believed to be sponsored by the Chinese government.