China’s MIIT Suspends Partnership With Alibaba Cloud for Six Months
China's Ministry of Industry and Information Technology (MIIT) recently announced it had suspended its partnership with Alibaba Group's cloud computing subsidiary for six months.
The Chinese regulator put its partnership with Alibaba Cloud Computing on hold over its alleged failure to report Apache's Log4J software cybersecurity vulnerabilities to them within the two-day reporting timespan required under China's Data Security Law.
A Global Times report cited a Guancha.cn article that said Alibaba Cloud reported the vulnerability to the regulator 15 days after it was detected. However, it was able to report the problem to the Apache Software Foundation, which was based in the U.S.
The MIIT said it would consider its partnership with Alibaba Cloud after the six-month period based on the company's measures to correct the problem.
The Apache Log4j2 vulnerability was discovered on 14 December 2021 after cybersecurity experts spent days trying to patch the first vulnerability detected in Log4j. Large organisations widely use this Java-based open-source software to configure their applications.
The vulnerability could allow hackers or attackers to control over Thread Context Map input data when the logging configuration uses a non-default pattern layout with either a Context Lookup or a Thread Context Map pattern. Attackers will then be able to create malicious input data using a Java Naming and Directory Interface (JNDI) Lookup pattern, resulting in an information leak and a denial of service (DOS) attack.
Concerns about the vulnerability rose when a tool to exploit the vulnerability was released to the public on GitHub, a software depository. The tool would allow hackers to use the vulnerability to break into devices because it has a potential roadmap for how to use it - a concern that the MIIT shares.
The MIIT's response highlights the Chinese government's desire to grab control over the country's infrastructure and data, which China experts consider as a "strategic asset" in China's showdown with America.
You may remember the Chinese government advising government firms to move all their data from third-party managed cloud platforms to the "guoziyun" or "state asset cloud" on 31 August 2021.
Alibaba Cloud has not commented on the partnership's suspension as of the publication of this article.
Written by John Paul Joaquin