RHSA-2025:3740 - Security Advisory

Topic

Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 has been released

Description

Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features.
The Red Hat OpenShift distributed tracing (Tempo) 3.5.1 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] release 2.7.1.

Breaking changes:

• With this update, for a user to create or modify a TempoStack or TempoMonolithic CR with enabled multi-tenancy, the user must have permissions to create a TokenReview and SubjectAccessReview.

Deprecations:

• Nothing

Technology Preview features:

• Nothing

Enhancements:

• Nothing

Bug fixes:

• https://access.redhat.com/security/cve/CVE-2025-2786
• https://access.redhat.com/security/cve/CVE-2025-2842

Known issues:

• Currently, when the OpenShift tenancy mode is enabled, the ServiceAccount of the gateway component of a TempoStack or TempoMonolithic instance requires the TokenReview and SubjectAccessReview permissions for authorization. Workaround: deploy the instance in a dedicated namespace, and carefully audit which users have permission to read the Secrets in this namespace.

Solution

For details on how to apply this update, refer to:
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Fixes

CVEs

• CVE-2025-22868
• CVE-2025-2786
• CVE-2025-2842
• CVE-2025-29786
• CVE-2025-30204

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/distributed_tracing/distributed-tracing-platform-tempo