- Issued:
- 2025-04-04
- Updated:
- 2025-04-04
RHSA-2025:3607 - Security Advisory
Synopsis
Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 release
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 has been released
Description
Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features.
The Red Hat OpenShift distributed tracing (Tempo) 3.5.1 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] release 2.7.1.
Breaking changes:
- With this update, for a user to create or modify a TempoStack or TempoMonolithic CR with enabled multi-tenancy, the user must have permissions to create a TokenReview and SubjectAccessReview.
Deprecations:
- Nothing
Technology Preview features:
- Nothing
Enhancements:
- Nothing
Bug fixes:
- https://access.redhat.com/security/cve/CVE-2025-2786
- https://access.redhat.com/security/cve/CVE-2025-2842
Known issues:
- Currently, when the OpenShift tenancy mode is enabled, the ServiceAccount of the gateway component of a TempoStack or TempoMonolithic instance requires the TokenReview and SubjectAccessReview permissions for authorization. Workaround: deploy the instance in a dedicated namespace, and carefully audit which users have permission to read the Secrets in this namespace.
Solution
For details on how to apply this update, refer to:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators
Fixes
(none)amd64
| registry.redhat.io/rhosdt/tempo-operator-bundle@sha256:295309554800a4a1d5d0646c8ec776e2f712cd13cebb085078df5ba85d604808 |
| registry.redhat.io/rhosdt/tempo-gateway-rhel8@sha256:630e24b5a39e415fbe48843ca18908634d55af2051a3f76dd538b6978f1e3669 |
| registry.redhat.io/rhosdt/tempo-jaeger-query-rhel8@sha256:a3439dd373ac34a13a99510275007e9229e07cddc6fc6db09aa7f952adbfaa4c |
| registry.redhat.io/rhosdt/tempo-gateway-opa-rhel8@sha256:2c10ff99cecd5a80f8cd59dfb74bf768bd3e8fc87616be30f2439ab1c1f32c3c |
| registry.redhat.io/rhosdt/tempo-rhel8-operator@sha256:a494025181bea65d1d839460a4a3985a46dc5f62cf7939b69293b95de5b1563a |
| registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:ebb8923f54cf129d88142a20a3936677dcb631b5e411b4e0782d6020e6682266 |
| registry.redhat.io/rhosdt/tempo-rhel8@sha256:486d4627fa99b6b1002bb257f02c7c212ed5e65bf22e163ed96d542297bc753e |
arm64
| registry.redhat.io/rhosdt/tempo-gateway-rhel8@sha256:133f4f1087b0e199f211007ceb2aeae9b9202c5961e812ea4aa037d375a93415 |
| registry.redhat.io/rhosdt/tempo-jaeger-query-rhel8@sha256:ef4cfa8974700cb4fcff1ac31ee648fd733c9205bf3432f3b4e291838a6413d2 |
| registry.redhat.io/rhosdt/tempo-gateway-opa-rhel8@sha256:adba030ecb2f998e52a136ce0e1c2d36909888b89fe7d1e7c95b5da5d6f8e927 |
| registry.redhat.io/rhosdt/tempo-rhel8-operator@sha256:29c1be152c9b2ca9fa8af25a10f156f8731b8396e8b2bc82d6b398a5e5027fdf |
| registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:0e7b8b0a049d4e5468138d4578cdd051b13257f6cdf59c64319c4769bcce7597 |
| registry.redhat.io/rhosdt/tempo-rhel8@sha256:97972d686b7df8acb5c859255f49d965a466dc9d445aa90f8aca3ac59d4d9e59 |
ppc64le
| registry.redhat.io/rhosdt/tempo-gateway-rhel8@sha256:b6c27629f411b90f3a7e5b27732f250c7dfa57d75ee1636de644a4d40a65d228 |
| registry.redhat.io/rhosdt/tempo-jaeger-query-rhel8@sha256:692a0a623566b428ec580408ddca17c9f5cbfb5bfb4de7fe694889cc1bb58e9d |
| registry.redhat.io/rhosdt/tempo-gateway-opa-rhel8@sha256:d44758883d9bd4ce3246a92b71e81b72abf9051851d34aa4d98594951fd3082c |
| registry.redhat.io/rhosdt/tempo-rhel8-operator@sha256:cbe0df797c34aebfec911c281fbfee9fe7713a4c45d778ae480cd6a7bcab202e |
| registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:2483855a80e228e5cd2e02b10b7941417426838b1111c21c4e08e5166027aea9 |
| registry.redhat.io/rhosdt/tempo-rhel8@sha256:c409c4b02e50e5f10e5da74f0692a194fb23db824aa49552c1e9ce76dbd74494 |
s390x
| registry.redhat.io/rhosdt/tempo-gateway-rhel8@sha256:f98634834feb77a03d96abf8264ce3a433f44c5645b2623793fb5d0193d8cf84 |
| registry.redhat.io/rhosdt/tempo-jaeger-query-rhel8@sha256:7ca83d25a1436f91241449b12e1fb67ebc7384329b2c7988d3271d3d35302c02 |
| registry.redhat.io/rhosdt/tempo-gateway-opa-rhel8@sha256:b4c535900eeae9ff1ce2d08f3fe8b819eed633431a2906859335889549883b99 |
| registry.redhat.io/rhosdt/tempo-rhel8-operator@sha256:233132300a9f5f019047a414b240f5b32c7563af8107bb52c4395892fdcd0fe0 |
| registry.redhat.io/rhosdt/tempo-query-rhel8@sha256:4a99b059bc5edc891b048822c9da5a654b163756e647ecd6da38b81fb5563222 |
| registry.redhat.io/rhosdt/tempo-rhel8@sha256:fceb29a4b587e61efdc89e5fc662b09767cc8750e86f17eaf3070b279b708899 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
