The open-source Ceph distributed object store and file system has emerged in recent years as a popular component of cloud, particularly OpenStack, deployments. That popularity may have made Ceph an attractive target for attackers, as Red Hat warned on Sept. 17 that there was a breach on a pair of Ceph Websites.
Red Hat—which last year acquired Inktank, the lead commercial sponsor of Ceph—identified both Ceph.com and Download.inktank.com as part of the attacker intrusion.
“The Download.inktank.com host has been retired, and affected Red Hat customers have been notified,” Ceph founder Sage Weil said.
In its advisory, Red Hat stated: “To date, our investigation has not discovered any compromised code available for download on these sites. We cannot fully rule out the possibility that some compromised code was available for download at some point in the past.”
It is not clear when the Ceph sites were breached, or what security controls were abused or misconfigured in order to enable the breach. A Red Hat spokesperson told eWEEK that the company cannot provide additional detail beyond its public advisory as the situation is an ongoing incident investigation.
The download site on the Inktank host is the source from which releases are built for the Red Hat Ceph product that runs on both the Ubuntu and CentOS Linux distributions. Red Hat has now created a new digital signature key for the Ceph files on the Inktank site, as the previous key is no longer considered to be trusted in light of the attacker intrusion.
There is now also a new signing key to verify downloads from the Ceph site, Weil said.
As far as the current investigation has shown, there is no evidence that the Ceph development build systems or the Ceph Github source repository were compromised, he added.
That said, Weil is taking no chances as the sites for Ceph.com and Download.ceph.com have been rebuilt on new hosts.
“All content available on Download.ceph.com has been verified, and all Ceph.com URLs for package locations now redirect there,” Weil wrote.
While the Ceph packages from Ceph and Inktank sites have been impacted by the intrusion and are now resigned, Ceph packages from the Ubuntu Linux distribution repositories are not affected, according to Ubuntu founder Mark Shuttleworth.
“If you are using the .deb packages that Red Hat published from Download.ceph.com, then you are affected and should replace their key with the new one,” Shuttleworth wrote. “To be clear, we have a great relationship with the Red Hat Ceph team; we happily resell their Ceph support offering on Ubuntu alongside our own Ceph support offering, so this is not a dig, just a PSA[public service announcement].”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.