China’s Ministry of Industry and Information Technology has suspended Alibaba Cloud’s membership of an influential security board to protest its handling of the Log4j flaw.
The move appears odd as The Apache Software Foundation credited Alibaba Cloud’s Chen Zhaojunfor identifying and reporting the Log4J flaw in the first place. You might think Alibaba Cloud deserves a parade for identifying a dangerous flaw, and showing that Chinese bug-hunters can match it with the world’s best.
But according to Chinese outlet The 21st Century Herald, Chinese authorities were displeased with the cloud giant’s response.
The outlet reported that Alibaba drew ire for not reporting the security vulnerabilities to MIIT in a timely manner and not effectively supporting the ministry’s network security threat and vulnerability management efforts.
As punishment, the ministry suspended Alibaba Cloud’s position on its security board for six months. After six months, the ministry will reassess Alibaba Cloud’s corrective measures and suitability.
The Register has been unable to find the document the herald referred to, and Neither MIIT nor Alibaba have released public statements about the decision, so we are in the dark about Beijng’s reasoning.
However, we can speculate.
We know that the bug was reported to the Apache Foundation on November 24th.
A timeline of the Log4j incident by Cisco’s Talos security team states news of the flaw leaked to GitHub on November 30th.
Talosand Cloudflare reported both reported they detected exploits of the bug in the wild before it was disclosed, and fixed, once on December 1 and again on December 2.
Just how the authors of those exploits learned of the bug is not known.
Another piece of evidence, a since-deleted tweet from an account using the handle @P0rZ9, has been dated as debuting a dozen hours before the Apache Foundation issued its patch on December 10th.
A since-deleted GitHub post from December 9th, made by an Alibaba staffer, is also suspected to have been published before the patch. The Wayback Machine has preserved the post here.
If Alibaba staffers were the source of the GitHub leaks, Beijing may wish to punish the company for that error.
Or perhaps Alibaba didn’t meet local reporting requirements. Chinese companies are required to report vulnerabilities in their own software to MIT’s National Vulnerability Database website within two days, and Alibaba Cloud is likely to have lots of Log4j its own systems and customers’ cloudy rigs. Provisions on Security Loopholes of Network Products, which went into effect in September encourages Chinese companies to report bugs in other software.
Perhaps the scariest possible reason Alibaba has been punished is that Beijing is miffed the company reported the flaw to Apache, thereby denying China a zero day exploit that had enormous offensive potential. ®