Alibaba Cloud was punished by the Ministry of Industry and Information Technology: it discovered the biggest loophole in history, but first reported it to the United States

Alibaba Cloud, which has been making a lot of noise recently, discovered the vulnerability but first reported it to the American Software Foundation. It was finally hammered.

Affected by this, Alibaba’s Hong Kong stocks “dipped” in the short-term during the trading session on Wednesday, rising by more than 5% at the beginning of the trading day. On the news, Alibaba Cloud was suspended from the Ministry of Industry and Information Technology’s network security threat information sharing platform cooperation unit.

At the same time, the Hang Seng Technology Index quickly narrowed its gains.

According to media reports, the Cyber ​​Security Administration of the Ministry of Industry and Information Technology reported that recently, after Alibaba Cloud discovered serious security vulnerabilities in the Apache Log4j2 component, it failed to promptly report to the telecommunications authority and did not effectively support the Ministry of Industry and Information Technology to develop the network. Security threat and vulnerability management. After research, Alibaba Cloud is now suspended as the aforementioned cooperative unit for 6 months.

According to the network security risk warning about major security vulnerabilities of Apache Log4j2 component issued by the Cyber ​​Security Administration of the Ministry of Industry and Information Technology on December 17, the Apache Log4j2 component is an open source logging framework based on the Java language and is widely used. Used for business system development. Recently, Alibaba Cloud Computing Co., Ltd. discovered a remote code execution vulnerability in the Apache Log4j2 component and notified the Apache Software Foundation of the vulnerability.

So what is the Apache Software Foundation? Will it lead to the disclosure of network security risks?

According to the official website of the Apache Software Foundation, this is a non-profit organization registered under US Act 501(c)(3). Its income sources are sponsored by major companies and personal donations. At present, it is still relatively safe.

The risk alert pointed out that on December 9, the Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform received a report from relevant cyber security professional organizations that the Apache Log4j2 component had serious security vulnerabilities. The Ministry of Industry and Information Technology immediately organized relevant cybersecurity professional institutions to conduct vulnerability risk analysis, convened Alibaba Cloud, cybersecurity companies, cybersecurity professional institutions, etc. to conduct research and judgment, notified and urged the Apache Software Foundation to repair the vulnerability in a timely manner, and reported to industry units Risk Warning.

This vulnerability may lead to remote control of the device, which can lead to serious damages such as the theft of sensitive information and interruption of device services. It is a high-risk vulnerability. In order to reduce network security risks, relevant units and the public are reminded to pay close attention to the release of vulnerability patches for Apache Log4j2 components, to investigate the usage of Apache Log4j2 components in related systems, and to upgrade component versions in a timely manner.

In the risk warning, the Cyber ​​Security Administration of the Ministry of Industry and Information Technology stated that it will continue to organize and carry out vulnerability disposal to prevent the risks of network product security vulnerabilities and maintain public Internet network security.