UPDATED 18:49 EDT / DECEMBER 22 2021

SECURITY

As new scanning tool is released, China suspends partnership with Alibaba over Log4j

The Chinese government has suspended a partnership with Alibaba Group Holding Ltd. over the Apache Log4j vulnerability as a new open-source scanning tool has been released to help businesses identify affected services.

China’s Ministry of Industry and Information Technology announced the suspension of an information-sharing partnership with Alibaba Cloud Computing on Wednesday local time. The suspension is the result of Alibaba allegedly failing to first report to the government the Loj4j vulnerability, the South China Morning Post reports.

The ministry said it would suspend all work with Alibaba Cloud for six months. After six months, the ministry added, it would reassess whether to resume the partnership at that time, based on measures Alibaba had taken to correct the problem.

“This vulnerability may lead to remote control of equipment, which may lead to serious harms such as the theft of sensitive information and interruption of equipment services. It is a high-risk vulnerability,” the Chinese government said in a statement.

The call from Beijing comes amid a range of measures taken by the Middle Kingdom to strengthen control over key online infrastructure and data in the name of national security, Reuters noted. The government has also asked state-owned companies to migrate their data from private operators to state-backed cloud systems.

While Log4j continues to be an ongoing problem, back in the U.S., the Department of Homeland Security’s Cybersecurity and Infrastructure Agency has announced the release of a new scanner for identifying web services impacted by Log4j vulnerabilities.

“Log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities,” the project page on GitHub states.

It won’t be a happy holiday this year for companies affected, with many still struggling.

“SolarWinds, Colonial Pipeline, MSFT Exchange and now Log4Shell… we keep saying that these events are a ‘wake up call,’ but all we have been doing is hitting the snooze button,”  Mehul Revankar, vice president of vulnerability management, detection and response at cloud security firm Qualys Inc., told SiliconANGLE. “On an unprecedented scale, compounded by the fact that it is not easy to find, Log4Shell is the single most vicious vulnerability I have seen in my two-decade cybersecurity tenure.”

Revankar noted that Qualys has a Fortune 50 global manufacturing company whose chief information security officer has given the directive to take all servers completely offline if they have not remediated Log4Shell vulnerabilities by Monday.

“Log4Shell is so severe that until organizations have a complete understanding that this threat has been eliminated – they refuse to put systems online with the growing concern that employees will also fall victim to human exploitation attempts,” Revankar added.

Image: Alibaba

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU