RHSA-2026:3427 - Security Advisory

Topic

Red Hat build of OpenTelemetry 3.9.0 has been released

Description

This release of the Red Hat build of OpenTelemetry provides new features, security improvements, and bug fixes.

Breaking changes:

• The deprecated OpenCensus Receiver, which provided backward compatibility with the OpenCensus project for easier migration of instrumented codebases, is removed and is no longer supported. You can use the OpenTelemetry Protocol (OTLP) and OTLP Receiver instead.

Deprecations:

• The `otlp` name for the OTLP gRPC Exporter in the OpenTelemetry Collector custom resource (CR) is deprecated. Use the `otlp_grpc` name instead. The `otlp` name will be removed in a future release.
• The `otlphttp` name for the OTLP HTTP Exporter in the OpenTelemetry Collector custom resource (CR) is deprecated. Use the `otlp_http` name instead. The `otlphttp` name will be removed in a future release.

Technology Preview features:

• Nothing

Enhancements:

• The following components, available as a Technology Preview before this update, are fully supported from version 3.9:
• Target Allocator
• Prometheus Exporter
• Prometheus Remote Write Exporter
• Filter Processor
• Transform Processor
• Kubernetes Events Receiver
• This update introduces the Metric Start Time Processor. You can use it to add start times to cumulative metrics after the Prometheus Receiver and benefit as follows: Improve historical data analysis by adding start time data for cumulative values. Enable the back end to accurately calculate request rates per minute. Enable threshold-based alerts.
• This release upgrades the Red Hat Universal Base Image (UBI) to version 9.
• This update adds support for overriding the Operator configuration by using environment variables.
• This update adds support for Prometheus scrape classes in the Target Allocator component.
• This update changes the configuration of the Kafka Receiver and Kafka Exporter in the OpenTelemetry Collector. The top-level encoding field is now deprecated. With this update, you must set encoding per signal type under logs, metrics, and traces. Use the raw encoding for logs only, because setting it at the top level and applied to all signal types causes a startup failure. For examples, see "Kafka Receiver" and "Kafka Exporter" in the Red Hat build of OpenTelemetry documentation (docs.redhat.com/en/documentation/red_hat_build_of_opentelemetry/latest/html-single/configuring_the_collector/index).

Bug fixes:

• Before this update, the NGINX and Apache instrumentation init containers were created by cloning the main container's configuration. As a consequence, there were issues with cloned liveness and readiness probes. With this release, the NGINX and Apache instrumentation init containers are defined independently, rather than inheriting inappropriate probe settings from the main container. As a result, issues with cloned liveness and readiness probes no longer occur.
• Before this update, the ServiceMonitor for the Operator metrics was not created due to a bug. With this release, the ServiceMonitor for the Operator metrics is created. For more information, see https://issues.redhat.com/browse/TRACING-5919.
• CVE-2025-61726: Before this update, a flaw existed in the `net/url` package in the Go standard library. As a consequence, a denial-of-service HTTP request with a massive number of query parameters could cause the application to consume an excessive amount of memory and eventually become unresponsive. This release eliminates this flaw. For more information, see https://access.redhat.com/security/cve/cve-2025-61726.

Known issues:

• The filesystem scraper does not produce the `system.filesystem.inodes.usage` and `system.filesystem.usage` metrics in the Host Metrics Receiver after upgrading from Collector version 0.142.0 to 0.143.0 or later. No known workaround exists. For more information, see https://issues.redhat.com/browse/TRACING-5963.

Solution

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Fixes

• TRACING-5919 - [Upstream] [OpenTelemetry] Operator ServiceMonitor not created on OpenShift due to missing args and uppercase scheme value

CVEs

• CVE-2025-61726

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/red_hat_build_of_opentelemetry