Alibaba employee first spotted a loophole in Log4j software, but now the company is in hot water with Beijing

The flaw in Apache Log4j, a free piece of code that records activity in computer networks and applications, was made public this month, and it is being exploited by hackers in an attempt to gain access to corporate systems and government. In the United States, officials have said hundreds of millions of devices are at risk and issued an emergency directive ordering federal agencies to take action to mitigate the threat by Christmas Eve.

Distributed by the non-profit Apache Software Foundation, Log4j is one of the most widely used tools for collecting information on computer networks, websites and business applications.

Researcher Chen Zhaojun from Alibaba Cloud, a subsidiary of the Hangzhou-based e-commerce company, first reported the vulnerability, a spokesperson for the Apache Software Foundation said. Mr. Chen is a staff member of the Alibaba Cloud security team, according to a security report from Apache Online Logging Services.

Cyber ​​security experts say the general etiquette for researchers who find software flaws is to privately report vulnerabilities to developers who can make fixes. Making vulnerabilities or software updates public before these fixes are implemented can start a race among hackers to take advantage of these issues.

Alibaba declined to comment on Beijing’s allegation of a delay in reporting and Mr. Chen’s involvement.

Mr Chen had drawn the foundation’s attention to the flaw on Nov. 24, and within one day Apache, which is run by a team of volunteers, accepted his report and began researching a fix, the group said. software. Apache communicated with Mr. Chen several times over the next two weeks, discussing a possible solution, he said.

On December 9, when Apache was almost ready to release a patch, Mr. Chen alerted the foundation that users of Chinese newsgroups were discussing the flaw, raising the possibility that hackers were already trying to exploit it, said. said Gary Gregory, one of the association’s volunteer developers.

“The timing was unfortunate,” said Mr. Gregory.

China’s Ministry of Industry and Information Technology, also known as MIIT, on Wednesday said its cybersecurity information and threat platform will cease cooperation with Alibaba Cloud for six months due to the company’s alleged failure to highlight the vulnerability in a timely manner. The state-run China Daily reported, citing unnamed ministry officials.

Alibaba Cloud is part of a nationwide cybersecurity threat platform that requires members to promptly report information about such issues, according to the report. Alibaba’s failure to report the Log4j2 flaw to the appropriate authorities in a timely manner has hampered China’s MIIT’s efforts to effectively manage the threat, the China Daily reported.

The ministry said it would reassess Alibaba’s corrective measures before resuming its current partnership, the China Daily added. MIIT did not respond to an after-hours fax request for comment.

Alibaba has faced a number of regulatory challenges over the past year as Beijing tightened its control over China’s most influential internet companies. The tech juggernaut was fined a record $ 2.8 billion for antitrust violations in April, and its financial affiliate Ant Group was forced to restructure in accordance with regulations issued by the central bank of China.

MIIT said on its website on Friday that Alibaba Cloud recently discovered the Log4j vulnerability and informed the Apache Foundation of its existence. The statement added that the ministry was made aware of the vulnerability through its cyber threat platform on December 9. He did not say who filed the reports.

The ministry said it immediately called in cybersecurity experts, including those from Alibaba Cloud, to assess the cybersecurity threat. In the statement, the ministry said the Log4j flaw was a high-risk vulnerability that could lead to the remote control of equipment and the theft of sensitive information.

The vulnerability allows hackers to remotely execute code on a target computer to potentially take control of devices, install ransomware, or create backdoors for future attacks. Cyber ​​security researchers say they have already observed hackers linked to the governments of several countries attempting to exploit the loophole. China was among the countries mentioned, as were Iran, Turkey and North Korea.

A spokesperson for the Chinese Embassy in Washington said last week that Beijing opposes cyber attacks of any kind.

Since the discovery of the flaw was made public, technology providers such as International Business Machines Corp.

and VMware Inc.

said they are rolling out fixes for software containing the flaw, while Amazon.com Inc.

and Microsoft Corp.

said they were monitoring the matter.

In the European Union, cybersecurity response teams in member countries are closely monitoring developments in Log4j. The Belgian Defense Ministry said it has shut down parts of its IT network due to cyber attacks linked to the vulnerability.

A senior US cybersecurity official described the vulnerability as the worst she has ever seen.

Alibaba, the first Chinese technology provider to make a foray into cloud computing, is China’s largest cloud computing provider and held 34% of the country’s market in the second quarter of the year, according to researcher Canalys.

—Rachel Liang and Zhao Yueling contributed to this article.

Write to Liza Lin at Liza.Lin@wsj.com and David Uberti at david.uberti@wsj.com