Alibaba Cloud's response was severely punished by MIIT. This incident reflects the general negligence of the computer industry. The impact of this incident on the industry is positive, a warning and a demonstration. Alibaba Cloud's response was severely punished by MIIT.

Alibaba Cloud's response was severely punished by the Ministry of Industry and Information Technology11On the evening of 23 February, Alibaba Cloud Computing Co., Ltd. (hereinafter referred to as "Alibaba Cloud") responded to the failure to report to the telecommunications authorities in time after discovering serious security vulnerabilities in Apache Log4j2 components. Alibaba Cloud said that Alibaba Cloud did not realize the seriousness of the vulnerability in the early stage and did not enjoy the vulnerability information in time. Alibaba Cloud will strengthen the management of vulnerability reports, raise the awareness of compliance, and actively cooperate with all parties to prevent network security risks.

Alibaba Cloud said that recently, an R&D engineer in Alibaba Cloud found a security bug in Log4j2 component, and reported the problem to the Apache open source community of software developer by email according to industry practice for help. The Apache open source community confirmed that this is a security vulnerability and released a fix to the world. Subsequently, the vulnerability was confirmed by the outside world as a major global vulnerability. Log4j2 is an open source log component of Apache, an open source community, which is widely used in the development of various business systems by enterprises and organizations all over the world.

Previously, Alibaba Cloud was punished for this. On February 22nd, 65438, the Network Security Administration of the Ministry of Industry and Information Technology reported that Alibaba Cloud was the cooperative unit of the information sharing platform for network security threats of the Ministry of Industry and Information Technology. Recently, Alibaba Cloud Company failed to report the serious security vulnerabilities of Apache)Log4j2 components to the telecommunications authorities in time, and failed to effectively support the Ministry of Industry and Information Technology to carry out network security threats and vulnerability management. After research, Alibaba Cloud Company was suspended as the above-mentioned cooperative unit for 6 months. After the expiration of the suspension period, according to the rectification of Alibaba Cloud Company, we will study and restore its above-mentioned cooperative units.

On February 9, 65438, the information sharing platform of network security threats and vulnerabilities of the Ministry of Industry and Information Technology received a report from a network security professional organization that Apache Log4j2 component had serious security vulnerabilities. The Ministry of Industry and Information Technology immediately organized relevant network security professional organizations to carry out vulnerability risk analysis, called Alibaba Cloud, network security enterprises and network security professional organizations to carry out research and judgment, notified and urged Apache Software Foundation to fix vulnerabilities in time, and provided risk warning to industry units.

This vulnerability may cause the device to be remotely controlled, which may lead to serious harm such as theft of sensitive information and interruption of equipment service, and it is a high-risk vulnerability. In order to reduce network security risks, relevant units and the public are reminded to pay close attention to the release of Apache Log4j2 component vulnerability patches, investigate the use of Apache Log4j2 components in related systems, and upgrade the component version in time.

Alibaba Cloud has occupied an important position in the cloud market in China after Konashe released the third quarter report of China cloud computing market 202 1. According to the report, in the third quarter of 20021,the overall cloud computing market in China increased by 43% year-on-year to reach $7.2 billion. In the third quarter of 200212002, Alibaba Cloud led the Chinese mainland market with a share of 38.3%, and the annual income growth of 33.3% was mainly driven by the Internet, financial services and retail industries.

Alibaba Cloud's response was severely punished by MIIT. Recently, some media reported that Alibaba Cloud found security vulnerabilities in Apache Log4j2 components, but failed to report them to the competent telecommunications authorities in time, and failed to effectively support the Ministry of Industry and Information Technology to carry out network security threats and vulnerability management. Therefore, Alibaba Cloud was suspended as the above cooperation unit for half a year.

What used to be a technical circle has therefore become a social hot spot. For a time, netizens were divided into two circles-

People in non-technical circles said: I feel that Alibaba Cloud only reported Apache, a technical community, but did not report the organization, and did not care about national security.

The technical circle said: Of course, who wrote the bug and reported it to whom, Apache's security vulnerabilities should be reported to Apache and not online.

On the evening of 23rd, Alibaba Cloud issued a statement on the log4j2 vulnerability, sincerely admitting his mistake, and said that he would strengthen the management of vulnerability reports, enhance the awareness of compliance, and actively cooperate with all parties to do a good job in network security prevention.

Looking back on this very technical topic, there are many facts to clarify.

First of all, what is Apache open source community? What is the Log4j2 component?

Apache is an influential open source community in the world. According to the official website, China companies such as Huawei, Tencent and Ali are the main contributors to this open source community, as well as American companies such as Google and Microsoft. Software engineers all over the world are building some basic software components here, iterating with each other to improve efficiency, which is a unique phenomenon in the software industry.

Log4j2, which discovered the vulnerability this time, is an open source log component owned by Apache, an open source community. Many enterprises will use this component to develop their own systems. When engineers in Alibaba Cloud found something wrong with this component, they asked Apache by email, asking the community to confirm whether it was a bug or not, and to assess the scope of influence.

Then Apache confirms that this is a bug and informs the developer to fix it. As a result, the end of the world happened at this time, and the loopholes were changed together.

However, Alibaba Cloud missed an official reporting platform that was launched not long ago, and only followed the industry practice and turned to the software developer Apache open source community for help to report this problem by email.

Secondly, the Ministry of Industry and Information Technology suspended the qualification of Alibaba Cloud cooperation unit for six months. What does this mean?

According to Gong Xin Maintenance-"On February 9th, 65438, the information sharing platform of network security threats and vulnerabilities of the Ministry of Industry and Information Technology received a report from a network security professional organization that Apache Log4j2 component had serious security vulnerabilities. The Ministry of Industry and Information Technology immediately organized relevant network security professional organizations to carry out vulnerability risk analysis, and convened Alibaba Cloud, network security enterprises and network security professional organizations. Conduct research and judgment, notify and urge Apache Software Foundation to fix vulnerabilities in time, and conduct risk warning for industry units. 」

The suspension of the six-month cooperation unit qualification reported by the media did not appear in public channels. According to industry insiders, this is not a "punishment" in the strict sense, otherwise it is impossible not to report it publicly. Secondly, the information sharing platform of network security threats and vulnerabilities is a platform for collecting and reporting network security vulnerabilities, and suspending the cooperation qualification of this platform will not affect the business.

Risk Tips of the Ministry of Industry and Information Technology on Log4j2 Vulnerability

But this incident, from the side, reflects the common negligence of consciousness in the computer industry. During the decades of development of domestic computer industry, a large number of employees and organizations have developed the working habit of cooperating with open source communities, but their awareness of safety and compliance at a higher level is insufficient in ideology and system. Alibaba Cloud's omission is also a concrete manifestation of this kind of consciousness omission.

Generally speaking, the impact of this incident on the industry is positive, a warning and a demonstration. Alibaba Cloud is a leading IT company in the industry, which is why it can take the lead in discovering major security vulnerabilities in the world. The occurrence of this incident will undoubtedly enhance the awareness of safety compliance in the computer industry. It is conceivable that both Alibaba Cloud and many other technology companies will strengthen compliance training and process standardization within enterprises and organizations.

Alibaba Cloud's response was severely punished by MIIT. Recently, the Network Security Administration of the Ministry of Industry and Information Technology reported that Alibaba Cloud Computing Co., Ltd. failed to report to the telecommunications authorities in time after discovering serious security vulnerabilities in the Apache)Log4j2 component, and failed to effectively support the Ministry of Industry and Information Technology to carry out network security threats and vulnerability management.

According to the circular, Alibaba Cloud is a cooperative unit of the information sharing platform of the Ministry of Industry and Information Technology. After research, the Network Security Administration of the Ministry of Industry and Information Technology decided to suspend Alibaba Cloud as the above cooperation unit for six months. After the expiration of the suspension period, the above-mentioned cooperative units will be resumed according to the rectification situation in Alibaba Cloud.

Observer.com reported the incident in detail a few days ago. 165438+1On October 24th, Alibaba Cloud first disclosed this vulnerability to Apache Software Foundation, but failed to inform the Ministry of Industry and Information Technology of China in time. This vulnerability allows network attackers to access the network server without a password.

The Ministry of Industry and Information Technology informs Apache Log4j2 components of major security vulnerabilities.

Apache log4j 2 component is an open source log framework based on Java language, which is widely used in business system development. Recently, Alibaba Cloud Computing Co., Ltd. discovered the remote code execution vulnerability of Apache Log4j2 component and informed Apache Software Foundation of the vulnerability.

This vulnerability may cause the device to be remotely controlled, which may lead to serious harm such as theft of sensitive information and interruption of equipment service, and it is a high-risk vulnerability. In order to reduce network security risks, relevant units and the public are reminded to pay close attention to the release of Apache Log4j2 component vulnerability patches, investigate the use of Apache Log4j2 components in related systems, and upgrade the component version in time.

The Network Security Administration of the Ministry of Industry and Information Technology will continue to organize vulnerability disposal, prevent the risk of network product security vulnerabilities, and maintain the security of public Internet networks.