Alibaba admits it was slow to report Log4j software bug after Beijing rebuke

Alibaba said the researcher abided by global industry practice but fell short. PHOTO: REUTERS

HANGZHOU (BLOOMBERG) - Alibaba Group Holding conceded it was slow to report a major vulnerability in widely used software because it was unaware of its severity, a day after China's technology industry overseer suspended cooperation on cyber security with the online retail giant.

Alibaba's admission on Thursday (Dec 23) clouded its role in uncovering potentially one of the more serious software vulnerabilities of recent years. Alibaba Cloud researcher Chen Zhaojun discovered the flaw in the Log4j open-source software and in November e-mailed it to members of the Apache Software Foundation community, which helps maintain the tool.

That set off a global race by companies, governments and institutions to update critical computer systems before hackers could install backdoors.

But this week, local media reported that China's Ministry of Industry and Information Technology (MIIT) upbraided Alibaba for not reporting the flaw in a timely fashion, suspending cooperation with AliCloud on a cyber-security information sharing platform for six months.

The MIIT said it would review "rectification measures" before deciding on whether to resume their project, the 21st Century Business Herald reported.

In its Thursday post, Alibaba said the researcher abided by global industry practice but fell short.

"Because we didn't realise its severity, we failed to share information about the flaw quickly enough," AliCloud said in its post. "Going forward, we'll strengthen our security flaw reporting systems, enhance compliance awareness and actively work with all parties to improve internet security."

While the ministry's suspension covered only their information sharing platform, the swift action may spook potential clients for Alibaba's broader cloud business, now its biggest revenue contributor after e-commerce. The industry is on edge after a year-long Chinese regulatory crackdown intended to curb the power of the country's biggest tech firms.

AliCloud, the world's third largest cloud service provider by some estimates, began by assuming the digital workloads of Chinese start-ups but is now increasingly going after large enterprises and government agencies.

Its role in unearthing the Log4j flaw has been hailed by many in the cyber-security industry.

Log4j is a piece of computer code that developers can put into applications to monitor, or "log", anything from mundane operations to critical alerts. Those detailed logs help programmers debug software and is used by millions of applications.

Government agencies around the world continue to urge companies and businesses to run patches to fix the flaw, as ransomware attacks are expected to follow cyber-intrusions. Attempts to exploit the Log4j vulnerability have only escalated in the weeks since the revelation of the flaw, which, if left unfixed, could give hackers unfettered access to millions of computer systems.

Join ST's Telegram channel and get the latest breaking news delivered to you.