Alibaba Employee First Spotted Log4j Software Flaw but Now the Company Is in Hot Water With Beijing

The flaw in Apache Log4j software, a free bit of code that logs activity in computer networks and applications, was made public this month, and it is being exploited by hackers in an attempt to gain access to corporate and government systems. In the U.S., officials said hundreds of millions of devices were at risk and issued an emergency directive ordering federal agencies to take steps to mitigate the threat by Christmas Eve.

Distributed by the nonprofit Apache Software Foundation, Log4j is among the most widely used tools to collect information across corporate computer networks, websites and applications.

Researcher Chen Zhaojun of Alibaba Cloud, a subsidiary of the Hangzhou-based e-commerce company, first reported the vulnerability, a spokeswoman for the Apache Software Foundation said. Mr. Chen is a staffer on Alibaba Cloud’s security team, according to an online Apache logging services security report.

Cybersecurity experts say the general etiquette for researchers who find software flaws is to privately report the vulnerabilities to developers who can issue fixes. Making software flaws or updates public before such patches are in place can set off a race among hackers to take advantage of such issues.

Alibaba declined to comment on Beijing’s allegation of a reporting delay and Mr. Chen’s involvement.

Mr. Chen had called the foundation’s attention to the flaw on Nov. 24, and within a day, Apache—which is run by a team of volunteers—had accepted his report and started researching a fix, the software group said. Apache communicated with Mr. Chen several times over the next two weeks, discussing a possible fix, it said.

By Dec. 9, when Apache was nearly ready to release a patch, Mr. Chen alerted the foundation that users on Chinese chat forums were discussing the flaw, raising the possibility that hackers could already be trying to exploit it, said Gary Gregory, one of the nonprofit’s volunteer developers.

“The timing there was unfortunate,” Mr. Gregory said.

On Wednesday, China’s Ministry of Industry and Information Technology, also known as MIIT, said its cybersecurity threat and information platform would be stopping its cooperation with Alibaba Cloud for six months over the alleged failure by the company to highlight the vulnerability in a timely fashion, the state-run China Daily reported, citing unnamed ministry officials.

Alibaba Cloud is part of a national cybersecurity-threat platform that requires members to promptly report information about such glitches, the report said. Alibaba’s failure to report the Log4j2 flaw to the relevant authorities in a timely manner hindered efforts by China’s MIIT to handle the threat effectively, China Daily reported.

The ministry said it would reassess Alibaba’s corrective measures before resuming its current partnership, China Daily added. MIIT didn’t respond to a faxed request for comment sent after office hours.

Alibaba has faced a number of regulatory headwinds over the past year as Beijing has tightened its control over China’s most influential internet companies. The technology juggernaut was hit with a record $2.8 billion fine for antitrust violations in April and its financial affiliate Ant Group has been forced to restructure according to regulations laid out by China’s central bank.

MIIT said Friday on its website that Alibaba Cloud had recently discovered the Log4j vulnerability and had informed the Apache Foundation about its existence. The statement added that the ministry was informed of the vulnerability through its cybersecurity-threat platform on Dec. 9. It didn’t make clear who filed the reports.

The ministry said it immediately called in cybersecurity experts, including those from Alibaba Cloud, to assess the cybersecurity threat. In the statement, the ministry said the Log4j flaw was a high-risk vulnerability that could lead to equipment being controlled remotely and sensitive information being stolen.

The vulnerability allows hackers to remotely execute code on a target computer to potentially take over devices, install ransomware or create back doors for future attacks. Cybersecurity researchers say they have already observed hackers linked to governments in several countries attempting to exploit the flaw. China was among the countries mentioned, as were Iran, Turkey and North Korea.

A spokesman for the Chinese Embassy in Washington said last week that Beijing opposes cyberattacks of any kind.

Since the flaw’s discovery was made public, technology suppliers such as

International Business Machines Corp.

and

VMware Inc.

have said they are deploying patches for software that contains the flaw, while

Amazon.com Inc.

and

Microsoft Corp.

have said they are monitoring the issue.

In the European Union, cybersecurity response teams for member countries are closely watching Log4j developments. Belgium’s Defense Ministry said it had shut down parts of its computer network because of cyberattacks linked to the vulnerability.

A top U.S. cybersecurity official described the vulnerability as the worst she had ever seen.

Alibaba, the first Chinese technology provider to make a foray into cloud computing, is China’s largest cloud provider and had 34% of the country’s market in the second quarter of the year, according to researcher Canalys.

—Rachel Liang and Zhao Yueling contributed to this article.

Write to Liza Lin at Liza.Lin@wsj.com and David Uberti at david.uberti@wsj.com

Comments are closed.