Apache/Log4j – Log4Shell:- Alibaba Group Holding – Computing Services Unit

Background

There are so many angles to the recently disclosed Apache Foundation Log4J’s Security Vulnerabilities.

As a footnote, this post covers the Log4Shell vulnerability.

A month ago, 2021-November-24th, Chen Zhoujun from Alibaba’s Cloud Security Team discovered the bug.

Via email, Apache Foundation Log4J was quickly notified.

 

Stories

South China Morning Post

Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first

Link

China’s internet security regulator has disciplined Alibaba Group Holding’s cloud computing services unit for failing to first report to the government a critical vulnerability in Apache’s Log4j software that has alarmed the cybersecurity community, Chinese media reported on Wednesday.

The Ministry of Industry and Information Technology (MIIT) is suspending work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months because the company did not immediately report a severe bug in the widely used logging software to the government agency, the 21st Century Business Herald reported. The ministry also said it would reassess whether to resume the partnership at that time, based on measures Alibaba has taken to correct the problem.

Losing the support of the agency could affect business prospects for the cloud computing unit of Alibaba, the owner of the South China Morning Post. However, specific losses for the country’s largest cloud business are hard to determine.

The MIIT launched a cybersecurity threat intelligence sharing platform in December 2019 to serve as a state-led alliance in dealing with security threats. Membership in the platform is government recognition of the member’s capabilities in spotting and managing threats.

The MIIT did not publish a public statement about its decision, and Alibaba did not respond to a request for comment.

The Log4j vulnerability has been described as a “nightmare” and “catastrophic”, with some experts saying it is the most severe cybersecurity threat ever by the number of devices affected. The simple piece of Java-based software can be found in countless internet-connected devices, from Internet-of-Things products like televisions and cameras to the servers running cloud operations for tech giants like Amazon, Google, and Microsoft.

The flaw first received widespread attention when it was publicly disclosed on December 9, after Alibaba Cloud Security Team engineer Chen Zhoujun discovered the flaw. Chen notified the Apache Software Foundation, the non-profit corporation that develops the open-source Log4j tool, by email on November 24.

According to a regulation passed this year, Chinese companies are obliged to report vulnerabilities in their own software to the MIIT through its National Vulnerability Database website. However, the Internet Product Security Loophole Management Regulation, which went into effect in September, only “encourages” companies to report bugs found in others’ software.

The MIIT cybersecurity management bureau released a statement on December 9 saying it was notified about the vulnerability by “relevant” cybersecurity institutions. The ministry summoned Alibaba Cloud and other cybersecurity firms to discuss the situation, it said. It also urged companies and the public to monitor for updates to patch their systems.

Cybersecurity industry norms encourage notifying vendors of security flaws first, giving them ample time to address the problem, before disclosing the issue to the public. Apache released a patch for the Log4j bug on December 6, three days before public disclosure.

Still, the effect of the bug’s discovery is expected to be wide-ranging because of Log4J’s ubiquity. Many people may not even be aware that their systems are compromised.

The exploit, known as Log4Shell, allows hackers to remotely execute code by getting it logged by the software. This became a problem in the Java edition of Microsoft’s game Minecraft, for example, allowing players’ to compromise others’ systems by sending malicious code through chat messages.

Cybersecurity experts on Twitter have commended the Alibaba Cloud engineer for responsibly disclosing the vulnerability directly to the tool’s developers.

Since the bug’s public disclosure, cybersecurity experts have warned of an increase in activity scanning for Log4j on vulnerable systems. Microsoft said on December 11 that it found that state actors connected with China, Iran, North Korea, and Turkey have been both experimenting and exploiting the vulnerability.

 

Dedication

Dedicating this post principally to Chen Zhoujun.

And, secondarily to:-

  1. Alibaba
    • Alibaba Cloud
  2. Apache Foundation
    • Log4J

References

  1. South China Morning Post
    • Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first
      Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s