Redhat's Ceph and Inktank code libraries were hacked

Redhat's Ceph and Inktank code libraries were hacked

RedHat claims that Ceph community projects and Inktank download websites were hacked last week and some code may be damaged.

Last week, RedHat suffered a very unpleasant accident. Both the Ceph community website and the Inktank download website were hacked. The former is the open-source Ceph Distributed Object Storage System managed development code, and the latter is the commercial version of Ceph.

What happened? Is the code damaged? We still do not know. RedHat said: "Although we are investigating this intrusion, our initial focus is on ensuring the integrity of software and distribution channels for these two websites ."

The good news is: "So far, our investigation has not found that the code available for downloading on these two websites has been compromised ." The bad news is that RedHat "cannot completely eliminate the possibility of some compromised code being downloaded at some time in the past ."

The intrusion not only opened the door to CentOS Ceph in red hat, but also to Ceph in Ubuntu Linux, which is tantamount to sprinkling salt on the wound of the storage software. Both depend on the code from download.inktank.com. The CentOS and Ubuntu versions are signed with the Inktank signature key (id 5438C7019DCEEEAD. In addition, ceph.com provides upstream packages for the Ceph Community version signed with the Ceph signature key (id 7EBFDD5D17ED316D.

The Red Hat Security Department claims that they "no longer trust the integrity of the Inktank signature key, and therefore use the standard Red Hat version key to re-sign these versions of the Red Hat Ceph storage product. Customers of the Red Hat Ceph storage product should only use the version signed by the Red Hat version key ."

This intrusion has not affected other Ceph websites, such as download.ceph.com or git.ceph.com. It is also known that it has not affected any other Ceph community infrastructure. There is no evidence that the version build system or the Ceph github source code library is compromised.

According to Ceph, "a new host has been built for ceph.com and download.ceph.com, and the website has been rebuilt. All content on download.ceph.com has been reviewed, and all the ceph.com URLs pointing to the package location are now redirected to it. Some content is still missing on download.ceph.com, but it will be added later today: the source code package file will be re-generated from git, and the old version package will be re-signed by the new version and password ."

Red Hat Ceph storage software or Red Hat Enterprise Edition Linux (RHEL) is not affected by this problem. Other Red Hat products are also not damaged.

Follow these steps to download, verify, and install a known clean Ceph version.

Change APT key (Debian and Ubuntu)

sudo apt-key del 17ED316D
curl https://git.ceph.com/release.asc | sudo apt-key add -
sudo apt-get update

Replace RPM keys (Fedora, CentOS, SUSE, etc)

sudo rpm -e --allmatches gpg-pubkey-17ed316d-4fb96ee8
sudo rpm --import 'https://git.ceph.com/release.asc'

Reinstall the package (Fedora, CentOS, SUSE, etc)

sudo yum clean metadata
sudo yum reinstall -y $(repoquery --disablerepo=* --enablerepo=ceph --queryformat='%{NAME}' list '*')

Fortunately, "customer data is not stored in the compromised system. The system does have hash values for usernames and passwords. We provide these materials to the customer to verify the downloaded content ."

The Red Hat has no idea how the hacker was successful. On the other hand, CMB's website is hosted on a computer system outside the RedHat infrastructure ." The reconstructed website is now under the security control of the red hat.

News source: ZDnet.com | cloud toutiao Translation

This article permanently updates the link address: