Chinese regulators on Wednesday suspended an information-sharing partnership with Alibaba Cloud Computing, a subsidiary of e-commerce conglomerate Alibaba Group, over accusations it failed to promptly report and address a cybersecurity vulnerability, according to state-backed media reports.
Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator, citing a recent notice by the Ministry of Industry and Information Technology (MIIT).
Alibaba Cloud recently discovered a remote code execution vulnerability in the Apache Log4j2 component, notifying the US-based Apache Software Foundation, according to the statement.
An employee, Chen Zhaojun, emailed the open-source software’s volunteer development team Apache Software Foundation, to report the bug, which threatened the security of millions of computers. Experts around the world’s hailed Chen’s initiative.
“Mad props to Chen Zhaojun of Alibaba Cloud Security for responsibly disclosing the #log4j vulnerability in private directly to the log4j developers, so that a patch to log4j was released by December 6, several days before the vulnerability went public,” said Talia Ringer, an assistant professor of computer science at the University of Illinois Urbana-Champaign.
However, MIIT said it received a report from a third party about the issue, rather than from Alibaba Cloud.
That prompted MIIT to suspend a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.
The partnership would be reassessed in six months and revived depending on the company’s internal reforms, the notice said.
This latest measure highlights Beijing’s desire to strengthen control over key online infrastructure and data in the name of national security.
The Chinese government has asked state-owned companies to migrate their data from private operators such as Alibaba and Tencent to a state-backed cloud system by next year.
The suspension highlights Beijing’s concern at a vulnerability that has triggered a wave of panic among corporations and governments around the world.
Alibaba Cloud declined to comment on the suspension.
- Reuters, with George Russell