Alibaba Cloud is a subsidiary of Alibaba Group. Also known as Aliyun, the company provides cloud computing services to its customers, as well as the Alibaba e-commerce ecosystem.
Alibaba Cloud Failed to Promptly Report Log4j2 Vulnerability
China’s Ministry of Industry and Information Technology (MIIT) issued a notice stating Alibaba Cloud did not immediately report the Apache Log4j2 vulnerability to the country’s telecom regulator. The company discovered the remote code execution (RCE) vulnerability recently and notified the Apache Software Foundation. According to reports, MIIT learned about the vulnerability from a third party, not Alibaba Cloud. As a consequence, MIIT suspended a cooperative partnership with the company. The partnership involved sharing information about cybersecurity threats. The notice added that MIIT will reassess the partnership in six months. It could lift the suspension if Alibaba Cloud makes sufficient internal reforms. MIIT’s move highlights China’s policies to strengthen its grip over key online infrastructure. In recent months, the government has directed state-owned companies to move their data to state-backed cloud storage providers.
Log4j2 a High-Risk Vulnerability, Says Chinese Telecom Regulator
The vulnerability in question affects Apache Log4j2, a Java-based logging library that is present in a wide variety of web applications and enterprise systems. It is also used in programs like web-based games, large enterprise software, and cloud data centers. Many organizations, including the US Cybersecurity & Infrastructure Security Agency (CISA), share the Chinese regulator’s concerns with the vulnerability. In fact, the Quebec government was forced to shut down approximately 3,992 vulnerable websites as a pre-emptive measure. The vulnerability “presents a significant risk to the entire internet” and has pushed many cybersecurity companies to look for solutions. “This vulnerability may lead to remote control of equipment, which may lead to serious harms such as the theft of sensitive information and interruption of equipment services. It is a high-risk vulnerability,” the regulator stated last week. Popular VPN provider ExpressVPN recently rolled out a layer of protection for its customers, implementing a “port-based blocking solution” to protect its users from the Log4j2 vulnerability. ExpressVPN said that though its solution was “not a silver bullet,” it believes it will “provide a significant impact” in shielding users. If you want to learn more about the Apache Log4j2 vulnerability, and what you can do to protect yourself at this time, check out our article here.
