>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.
Plainly the linked policy does not ask Alibaba to do what the article says it should do, ie, notify the government first, as per machine translation.
It seems to say that they should notify the vendor (ie, Apache) as soon as possible, and notify the government within 2 days (according to rfoo they are not at all required to disclose it to the government since it's not their product, but they are encouraged to do so), not that they should notify the government first and then wait for approval to notify Apache.
According to google translate:
(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.
(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.
So according to machine translation, the article is incorrect, and they do not have to notify the CCP first, instead they should have notified Apache first, and then the government within 2 days.
I think the central point of the article is that the Chinese government is deviating from their stated policy by punishing Alibaba with the 6 month freeze, thus making it newsworthy.
Does the article say that? The article says that the law encourages them to notify the government first, which it doesn't seem to.
At the same time, the article doesn't say that China is going to stop supporting Alibaba Cloud, just that that the MIIT is freezing cybersecurity cooperation, as far as I understand the article there is no legal punishment or serious financial punishment, and it's not even clear that the cooperation with the MIIT didn't have other terms. It's not clear either that they followed the 2-day period.
From my understanding, Chinese government didn't punish Alibaba according to the regulation discussed above.
Given that the punishment is rather obscure and really weak (okay, your country's CERT felt pissed off and won't talk to you for 6 months, but for megacorps like Alibaba, would they really care?), I don't think they are willing to break the rule, at least for now.
That's wrong. According to the text Alibaba is not required to report the bug to government at all. The 2 days term apply to "domestic network product provider" which would be ASF/log4j maintainers in this case. But they are not domestic so this does not apply.
Alibaba Cloud, like the other big clouds, has many Java-based products. They’re certainly the vendor of their own vulnerable Java-based products. Whether some other party wrote the code in question doesn’t change that.
Thanks, you're right that they certainly are the vendor of their own vulnerable Java-based products.
AFAIK when the bug became popular on Dec 9, there are still many Java-based services running by Alibaba Cloud remain unfixed, and it caused chaos and panic among their "SRE"s.
However reading the regulation text again, now I'm not sure in this case what Alibaba should report:
It said they should report "the name, type and version of the product with the vulnerability, the 'technical characteristics' of the vulnerability and the impact". Does this mean, Alibaba should report, for example:
"Alibaba Cloud hosted Apache Flink stream computing service (whatever brand name they use) contains a pre-auth critical RCE vulnerability due to insecure processing of user input in version a.b.c till x.y.z"?
I'm not seeing how could the government know what the bug really is if "the product" means Alibaba Cloud's own product.
(archived version of the article: https://archive.md/Yvsca)
From your linked policy (translated by Apple):
>Article 7 Network product providers shall fulfill the following security vulnerability management obligations
>(2) Relevant vulnerability information shall be submitted [...] within 2 days
In this case, an Alibaba researcher found a bug in an Apache product, so this policy wouldn't seem to apply as Alibaba is not the vendor of the product.