Red Hat software has revealed “an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com)” that resulted in signed code being accessed.
The company says ceph.com and download.inktank.com, both hosted “outside of Red Hat infrastructure”, were accessed by someone Red Hat doesn't trust. Which is bad news because inktank “provided releases of the Red Hat Ceph product for Ubuntu and CentOS operating systems … signed with an Inktank signing key (id 5438C7019DCEEEAD).” Ceph.com held “upstream packages for the Ceph community versions signed with a Ceph signing key (id 7EBFDD5D17ED316D).”
To date, Red Hat says, “our investigation has not discovered any compromised code available for download on these sites.” The company's playing it safe, adding that “We can not not fully rule out the possibility that some compromised code was available for download at some point in the past.”
No customer data was on either intruded-upon server, but the systems did “have usernames and hashes of the fixed passwords we supplied to customers to authenticate downloads.”
What to do? Red Hat's re-signed the versions of Ceph at inktank with the standard Red Hat release key. Ceph downloads from ceph.com have a new signing key (id E84AC2C0460F3994) with which to verify downloads. The company says it has contacted known customers to advise them it's a sensible move to download the rebuilt and newly-signed products.
Red Hat's urging caution, not panic, and says its investigation is ongoing. As is our watch on this situation. ®