Attackers Hit a Pair of Red Hat's Open-Source Ceph Sites

Red Hat warns that that there was an intruder on the Ceph infrastructure, but few details are available from the ongoing investigation.

Attack on Red Hat Ceph sites

The open-source Ceph distributed object store and file system has emerged in recent years as a popular component of cloud, particularly OpenStack, deployments. That popularity may have made Ceph an attractive target for attackers, as Red Hat warned on Sept. 17 that there was a breach on a pair of Ceph Websites.

Red Hat—which last year acquired Inktank, the lead commercial sponsor of Ceph—identified both and as part of the attacker intrusion.

"The host has been retired, and affected Red Hat customers have been notified," Ceph founder Sage Weil said.

In its advisory, Red Hat stated: "To date, our investigation has not discovered any compromised code available for download on these sites. We cannot fully rule out the possibility that some compromised code was available for download at some point in the past."

It is not clear when the Ceph sites were breached, or what security controls were abused or misconfigured in order to enable the breach. A Red Hat spokesperson told eWEEK that the company cannot provide additional detail beyond its public advisory as the situation is an ongoing incident investigation.

The download site on the Inktank host is the source from which releases are built for the Red Hat Ceph product that runs on both the Ubuntu and CentOS Linux distributions. Red Hat has now created a new digital signature key for the Ceph files on the Inktank site, as the previous key is no longer considered to be trusted in light of the attacker intrusion.

There is now also a new signing key to verify downloads from the Ceph site, Weil said.

As far as the current investigation has shown, there is no evidence that the Ceph development build systems or the Ceph Github source repository were compromised, he added.

That said, Weil is taking no chances as the sites for and have been rebuilt on new hosts.

"All content available on has been verified, and all URLs for package locations now redirect there," Weil wrote.

While the Ceph packages from Ceph and Inktank sites have been impacted by the intrusion and are now resigned, Ceph packages from the Ubuntu Linux distribution repositories are not affected, according to Ubuntu founder Mark Shuttleworth.

"If you are using the .deb packages that Red Hat published from, then you are affected and should replace their key with the new one," Shuttleworth wrote. "To be clear, we have a great relationship with the Red Hat Ceph team; we happily resell their Ceph support offering on Ubuntu alongside our own Ceph support offering, so this is not a dig, just a PSA[public service announcement]."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.