RHSA-2026:3459 - Security Advisory

标题

Red Hat OpenShift distributed tracing platform (Tempo) 3.9.0 has been released

描述

This release of the Red Hat OpenShift distributed tracing platform (Tempo) provides new features, security improvements, and bug fixes.

Breaking changes:

• Nothing

Deprecations:

• Nothing

Technology Preview features:

• Nothing

Enhancements:

• This release upgrades Tempo components to version 2.10.0, which improves TraceQL performance. Jira issue: https://issues.redhat.com/browse/TRACING-5944.
• This update extends the `TempoStack` Custom Resource Definition (CRD) with a network policy option that enables the Operator to reconcile network policies among all components. This option is enabled by default. Jira issue: https://issues.redhat.com/browse/TRACING-5807.
• This update adds support for overriding the Operator configuration by using environment variables. You can configure Operator settings through the `Subscription` custom resource of the Operator Lifecycle Manager (OLM) without modifying ConfigMaps. The `--config` flag remains available for custom configuration files if needed. Jira issue: https://issues.redhat.com/browse/TRACING-5745.
• This update introduces the `size` field for `TempoStack` deployments, which provides predefined t-shirt size configurations. Instead of manually calculating CPU, memory, and storage for each component, you can select a size that matches your workload scale. The following sizes are available: `1x.demo`, `1x.pico`, `1x.extra-small`, `1x.small`, and `1x.medium`. This field is optional and existing configurations using `resources.total` or per-component overrides continue to work unchanged. Jira issue: https://issues.redhat.com/browse/TRACING-5376.
• Improve TempoMonolithic memory usage. The Operator now automatically sets the `GOMEMLIMIT` soft memory limit for the Go garbage collector to 80% of the container memory limit for all Tempo components. This reduces the likelihood of out-of-memory terminations. Jira issue: https://issues.redhat.com/browse/TRACING-4554.
• This update requires tenant configuration and an enabled gateway for `TempoStack` and `TempoMonolithic` instances. If you do not enable the gateway, the Operator displays a warning. For a `TempoStack` instance, enable the gateway by setting `.spec.template.gateway.enabled` to `true`. For a `TempoMonolithic` instance, the gateway is enabled automatically when any tenant is configured. `TempoStack` and `TempoMonolithic` instances without an enabled gateway are not supported. Jira ticket: https://issues.redhat.com/browse/TRACING-5750.
• This release upgrades the Red Hat Universal Base Image (UBI) to version 9.

Bug fixes:

• Fixed network policies for managed OpenShift services. Before this update, the Operator network policies used a hard-coded port 6443 for the API server. As a consequence, the Operator failed to connect to managed OpenShift services that expose the API on port 443. With this update, the Operator dynamically retrieves the control plane address from service endpoints. As a result, network policies work correctly on all OpenShift environments. Jira issue: https://issues.redhat.com/browse/TRACING-5974.
• CVE-2025-61726: Before this update, a flaw existed in the `net/url` package in the Go standard library. As a consequence, a denial-of-service HTTP request with a massive number of query parameters could cause the application to consume an excessive amount of memory and eventually become unresponsive. This release eliminates this flaw. For more information, see https://access.redhat.com/security/cve/cve-2025-61726.
• CVE-2025-61729: Before this update, the `HostnameError.Error()` function in the Go `crypto/x509` package used string concatenation in a loop without limiting the number of printed hostnames. As a consequence, processing a malicious certificate with many hostnames could cause excessive CPU and memory consumption, leading to a denial-of-service condition. This release includes the fix for this flaw. For more information, see https://access.redhat.com/security/cve/CVE-2025-61729.
• CVE-2025-68121: Before this update, a flaw existed in the `crypto/tls` package in the Go standard library. As a consequence, during TLS session resumption, unauthorized clients or servers could bypass certificate validation if CA pools were mutated between handshakes. This release includes the fix for this flaw. For more information, see https://access.redhat.com/security/cve/CVE-2025-68121.

Known issues:

• Gateway fails to forward OTLP HTTP traffic when receiver TLS is enabled. When Tempo Monolithic is configured with `multitenancy.enabled: true` and `ingestion.otlp.http.tls.enabled: true`, the gateway forwards OTLP HTTP traffic to the Tempo receiver using plain HTTP instead of HTTPS. As a consequence, the connection fails with a `connection reset by peer` error because the receiver expects TLS connections. OTLP gRPC ingestion through the gateway is not affected. Jira issue: https://issues.redhat.com/browse/TRACING-5973.

解决方案

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

修复

• TRACING-6023 - TempoStack version upgrade from 0.16.0-2 to 0.19.0-3 creates networkPolicies that break communication with Kubernetes API.

CVE

• CVE-2025-61726
• CVE-2025-61729
• CVE-2025-68121

参考

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/distributed_tracing/distributed-tracing-platform-tempo