## DevOps Radar — Sat, May 9, 2026 (Kolson)

### What’s new (relevant to our stack)
- **Octopus Deploy:** `2026.1` highlights include Recovery Agent, shared secrets in Process Templates, centralized retention policies, improved tagging, copying releases, NPM repo support.   
  - **Reality check:** Octopus shows **`2026.2` Cloud builds**, while **self-hosted “recommended release” is still `2026.1` (build 11411)**. 
- **Jenkins:** Security Advisory `2026-04-29` covers vulns in common plugins (Script Security, Credentials Binding, GitHub/GitHub Branch Source, Matrix Auth, HTML Publisher, Microsoft Entra ID) with fixed versions listed. 
- **Backstage:** You’re past `v1.42.0` now—`v1.50.0` is out with notable breaking changes (identity token `ent` claim removed by default, Standard Schema for new frontend extension config, React 18 minimum, plus UI changes). 
- **Atlassian (Data Center):** April 21, 2026 Security Bulletin: **31 high** + **7 critical third‑party** vulns fixed; guidance is “patch to latest / fixed versions.” 
- **Grafana:**  
  - `CVE-2026-27877`: **Public dashboards + direct data sources** can expose datasource passwords; fix by upgrading and converting direct → proxied.   
  - `CVE-2026-21722`: public dashboards annotations time-range restriction bypass (data visibility issue); fixed versions listed. 
- **Kibana:** April 8, 2026 advisories (same fixed versions: `8.19.14 / 9.2.8 / 9.3.3`)  
  - `ESA-2026-26`: DoS via **automatic import** (enabled by default in 8.15+); requires authenticated user with Fleet/Integrations privileges.   
  - Also worth bundling into the same upgrade window: `ESA-2026-21/24/25` (Fleet privilege / auth issues). 
- **JBoss EAP / WildFly:** Red Hat CSAF for **JBoss EAP `7.4.24`** security update (Undertow, JGit, Hibernate, Netty HTTP/2 DDoS, etc.). ([security.access.redhat.com](https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4917.json))
- **Teams (admin):** May 06, 2026: user‑reported security signals in TAC + numeric‑only meeting passcodes policy (explicit warning/confirmation). 

### Why it matters (money + career + Allsite)
- **Money / uptime risk:** Grafana public dashboards + credentials exposure and Kibana DoS vectors are classic “one bad day” incidents (credential spill → lateral movement; DoS → outage). 
- **DevOps career growth:** This is a clean “security advisory → controlled rollout → measurable hardening” portfolio story (plugin pinning, RBAC tightening, dashboards that prove posture drift). 
- **Allsite growth:** Fewer platform incidents = more consistent shipping and less leadership attention tax (you stay in delivery mode).

### Implementation steps (tight + stack-aligned)
1. **Version + exposure inventory (single checklist):** Octopus channel (Cloud vs self-hosted), Jenkins plugin versions, Backstage version + React baseline, Atlassian DC versions, Grafana public dashboards usage + datasource mode, Kibana version + whether automatic import/Fleet is used, JBoss EAP patch level.
2. **Patch/mitigate in this order:**
   - **Grafana:** if Public Dashboards are enabled, **eliminate “direct” datasources (convert to proxied)** and upgrade to a fixed version; rotate any datasource credentials that were ever configured as direct. 
   - **Kibana:** upgrade to `8.19.14 / 9.2.8 / 9.3.3`; until then, **restrict Fleet/Integrations privileges** and watch for abuse patterns on automatic import endpoints. 
   - **Jenkins:** update the specific plugins to the advisory’s fixed versions (start with `credentials-binding` + `script-security`). 
   - **Atlassian DC:** patch to latest or bulletin fixed versions for each product you run. 
   - **JBoss EAP:** schedule `7.4.24` upgrade + rolling restart window. ([security.access.redhat.com](https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4917.json))
3. **Backstage track (separate window):** plan the `v1.50.0` breaks (tokens + extension config + React 18) before you touch plugin migrations. 

### What changed since the last run (`2026-05-09T16:20:36.997Z`)
- **Backstage:** “New Frontend System adoption ready” (`v1.42.0`) is now old news; `v1.50.0` adds concrete breaking changes you need to plan for. 
- **Kibana:** your prior note focused on `ESA-2026-26`; there are **multiple April 8 Kibana advisories** that share the same fixed versions—bundle them into one upgrade. 
- **Grafana:** an additional public-dashboard advisory (`CVE-2026-21722`) is in play alongside the password exposure issue. 
- **Octopus:** `2026.2` Cloud builds exist, but self-hosted guidance still points at `2026.1` as “recommended release” (so your plan depends on Cloud vs self-hosted). 

### 30-minute starter task (highest ROI today)
- **Grafana check:** confirm whether **Public Dashboards** are enabled and whether any datasources are set to **direct** mode; if yes, list them and flip to proxied + queue a creds rotation + upgrade to a fixed version. 

One question (to tailor “do this next” precisely): are you **self-hosted or cloud** for **Octopus**, **Atlassian**, and **Kibana**?

**BizDev Research Report — Allsite (Snow + Landscaping) — Sun, May 10, 2026 (ET)**
**Live public web research status**
- Your requested `node scripts/research-web.mjs ...` searches failed in this environment (`ENOTFOUND duckduckgo.com`), so I pulled targets from live public sources directly (linked per account).
## Specific businesses to contact (OH/PA-first)
1) **Phillips Edison & Company (PECO)** (Cincinnati, OH)   
- Why fit: grocery-anchored shopping centers → constant slip/fall exposure + year-round grounds.  
- Decision-maker + contact path: **Property Operations / Regional Property Manager / Vendor Mgmt** → use site “Properties” to map OH/PA centers → call HQ and ask for “vendor onboarding for snow/landscape (property ops).”
2) **SITE Centers** (Beachwood, OH)   
- Why fit: open-air shopping centers; standardized vendor expectations.  
- Decision-maker + contact path: **SVP Property Ops / Regional PM / Procurement** → use corporate contact path via company site; ask specifically for “property operations vendor onboarding.”

DevOps Radar — Sun, May 10, 2026 (Kolson)
## What’s new (for our stack)
- **Octopus Deploy:** Self-hosted **recommended release is still `2026.1 (Build 11411)`**, while **Octopus Cloud is already shipping `2026.2` builds (as recent as Thu May 7, 2026: Build 9314)**.   
  - **`2026.2` change to note:** some builds include **UI-node background work behavior changes** (restart now required to stop/start background work when task cap is 0) and an option for **self-hosted OTel trace export to disk (diagnostics)**. 
- **Jenkins:** Latest advisory is still **`2026-04-29`** (plugins: `credentials-binding`, `script-security`, `github`, `github-branch-source`, `matrix-auth`, `htmlpublisher`, `microsoft-entra-id`) with fixed versions listed. 
- **Backstage:** **`v1.50.0`** has real breaking changes (identity token `ent` claim removed by default, Standard Schema for extension config, **React 18 minimum**). 
- **Atlassian (Data Center):** **Apr 21, 2026** bulletin: **31 high + 7 critical (3rd‑party)**; guidance is “patch to latest or fixed versions per product”. 
- **Grafana:** Multiple security items worth bundling into one upgrade window:  
  - **`CVE-2026-27877`: public dashboards + “direct” datasources expose datasource passwords**; fixed in **`11.6.14 / 12.1.10 / 12.2.8 / 12.3.6 / 12.4.2`** (and later).   
  - **`CVE-2026-27876` (Critical): RCE path if `sqlExpressions` feature toggle is enabled**, same fixed versions/patch trains.   

• automationSUCCEEDED
• automationSUCCEEDED
• automationSUCCEEDED
• automationSUCCEEDED
• automationSUCCEEDED