Alibaba Cloud responded that it failed to report Log4j2 in a timely manner. Major vulnerabilities: Early failure to realize the seriousness will raise awareness of compliance

Recently, the Ministry of Industry and Information Technology issued a notice that after Alibaba Cloud discovered serious security vulnerabilities in the Apache Log4j2 component, it failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management. After research, Alibaba Cloud has been suspended as the aforementioned cooperative unit for 6 months. After the suspension period expires, according to Alibaba Cloud's rectification situation, study the restoration of the aforementioned cooperative units.

Alibaba Cloud officials responded today that they did not share the vulnerability information in time because they did not realize the severity of the vulnerability in the early stage. Alibaba Cloud will strengthen vulnerability management, enhance compliance awareness, and actively coordinate with all parties to prevent cyber security risks.

On December 23, released the "161cd3cda3f03e Note on the Vulnerability of Apache Log4j2 in the Open Source Community 161cd3cda3f040 .

Log4j2 is an open source log component under the open source community Apache (Apache), which is widely used in the development of various business systems by enterprises and organizations all over the world.

Recently, an Alibaba Cloud R&D engineer discovered a security bug in the Log4j2 component and reported the problem to the software developer's Apache open source community by email according to industry practices to request help. The Apache open source community confirmed that this is a security vulnerability and released a patch to the world. Subsequently, the vulnerability was confirmed by the outside world as a major global vulnerability.

Alibaba Cloud did not share the vulnerability information in time because it did not realize the seriousness of the vulnerability in the early stage. Alibaba Cloud will strengthen vulnerability report management, enhance compliance awareness, and actively coordinate with all parties to prevent cyber security risks.

Related reading: Cloud was suspended for 6 months by the Ministry of Industry and Information Technology's cybersecurity cooperation unit for failing to report the Apache Log4j2 high-risk vulnerability