Red Hat Investigated Intrusion on Sites of Ceph and Inktank
"Important security notice"
This is a Press Release edited by StorageNewsletter.com on September 22, 2015 at 2:45 pmThis article was posted on September 17, 2015 on security blog of Red Hat, Inc.
Important security notice regarding signing key and distribution
of Red Hat Ceph Storage on Ubuntu and CentOS
Last week, Red Hat investigated an intrusion on the sites of both the Ceph community project and Inktank, which were hosted on a computer system outside of Red Hat infrastructure.
download.inktank.com provided releases of the Red Hat Ceph product for Ubuntu and CentOS OSs. Those product versions were signed with an Inktank signing key (id 5438C7019DCEEEAD). ceph.com provided the upstream packages for the Ceph community versions signed with a Ceph signing key (id 7EBFDD5D17ED316D). While the investigation into the intrusion is ongoing, our initial focus was on the integrity of the software and distribution channel for both sites.
To date, our investigation has not discovered any compromised code available for download on these sites. We can not not fully rule out the possibility that some compromised code was available for download at some point in the past.
For download.inktank.com, all builds were verified matching known good builds from a clean system. However, we can no longer trust the integrity of the Inktank signing key, and therefore have re-signed these versions of the Red Hat Ceph Storage products with the standard Red Hat release key. Customers of Red Hat Ceph Storage products should only use versions signed by the Red Hat release key.
For ceph.com, the Ceph community has created a new signing key (id E84AC2C0460F3994) for verifying their downloads. See ceph.com for more details.
Customer data was not stored on the compromised system. The system did have usernames and hashes of the fixed passwords we supplied to customers to authenticate downloads.
To reiterate, based on our investigation to date, the customers of the CentOS and Ubuntu versions of Red Hat Ceph Storage should take action as a precautionary measure to download the rebuilt and newly-signed product versions. We have identified and notified those customers directly.
Customers using Red Hat Ceph Storage products for Red Hat Enterprise Linux are not affected by this issue. Other Red Hat products are also not affected.