Red Hat warned users on Thursday that it detected an intrusion on two websites related to Ceph, the company’s open source distributed storage platform.
According to the open source giant, which acquired Ceph developer Inktank in April 2014, the breach affects the websites ceph.com and download.inktank.com. Ceph.com offers downloads for Ceph community versions, while download.inktank.com provided releases of the Red Hat Ceph product for Ubuntu and CentOS.
The company has pointed out that the affected websites are hosted on a server outside of the Red Hat infrastructure. The investigation is ongoing, but so far there is no evidence that the code and binaries offered on the impacted websites have been compromised.
On the other hand, Red Hat says it cannot fully rule out the possibility that the files available for download at some point in the past had been altered. The company also believes the signing keys for Inktank and Ceph.com can no longer be trusted. As a result, the Ceph signing key has been replaced, and the Red Hat Ceph Storage products have been re-signed with standard Red Hat release keys.
“This intrusion did not affect other Ceph sites such as download.ceph.com (which contained some Ceph downloads) or git.ceph.com (which mirrors various source repositories), and is not known to have affected any other Ceph community infrastructure. There is no evidence that build systems or the Ceph github source repository were compromised,” reads a security notice posted on the Ceph website.
Customers of Red Hat Ceph Storage versions for CentOS and Ubuntu have been advised to download the newly signed product versions. Customers of Red Hat Ceph Storage for RHEL and other Red Hat products are not affected by the incident.
The ceph.com and download.ceph.com websites have been rebuilt and all the content hosted on them has been verified. Red Hat customers have been notified that the download.inktank.com host has been retired following the breach.
Red Hat noted that while the compromised system did not store customer data, it did hold usernames and password hashes used by customers for authenticating downloads. Sources:
