Economic Observer Network reporter Zhou Yingmei On December 23, Alibaba Cloud released a statement through the official WeChat public account, after a research and development engineer of Alibaba Cloud discovered the Apache Log4j2 component vulnerability, Alibaba Cloud did not share the vulnerability information in time because it did not realize the seriousness of the vulnerability in the early stage. Alibaba Cloud said it will strengthen vulnerability management and enhance compliance awareness.
Previously, it was reported that Alibaba Cloud did not report to the telecommunications authorities in a timely manner after discovering security vulnerabilities, and was notified by the Cyber Security Administration of the Ministry of Industry and Information Technology, suspending it as a cooperation unit of the Ministry of Industry and Information Technology's network security threat and vulnerability information sharing platform (referred to as the CSTIS platform) for 6 months.
Alibaba Cloud statement mentioned that recently, a research and development engineer of Alibaba Cloud found a security bug in the Log4j2 component, so he reported this problem to the software developer Apache open source community by email according to industry practice and asked for help. The Apache open source community confirmed that this was a security vulnerability and released a patch to fix it globally. Subsequently, the vulnerability was confirmed to be a major global vulnerability.
Log4j2 is an open source log component owned by the open source community Apache and is widely used by enterprises and organizations around the world to develop various business systems.
On December 17, the Cybersecurity Administration of the Ministry of Industry and Information Technology issued a risk warning. It is mentioned that Alibaba Cloud recently discovered that there is a remote code execution vulnerability in the Apache Log4j2 component, which may lead to remote control of the device, which will lead to serious harm such as sensitive information theft and device service interruption, which is a high-risk vulnerability. Remind relevant units and the public to pay close attention to the release of Apache Log4j2 component vulnerability patches, check the use of Apache Log4j2 components of their own related systems, and upgrade component versions in a timely manner.
Alibaba Cloud said that it did not share vulnerability information in a timely manner because it did not realize the severity of the vulnerability in the early stage. Alibaba Cloud will strengthen vulnerability management, enhance compliance awareness, and actively coordinate with all parties to prevent network security risks.
According to the data released by the market research agency IDC in the first quarter of 2021, the IaaS+PaaS market size in China's public cloud market reached 4.632 billion US dollars in the first quarter, and Alibaba Cloud ranked first with a market share of 40%. Data shows that Alibaba Cloud has more than 4 million paid users.
![Double 12 Selection: Tt Yao Yue Double 12 Jingdong Carnival opens, and the chassis and peripherals have discounts[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)