RHSA-2026:9385 - Security Advisory

Topic

Red Hat OpenShift distributed tracing platform (Tempo) 3.9.2 has been released

Description

This release of the Red Hat OpenShift distributed tracing platform (Tempo) provides security improvements and bug fixes.

Breaking changes:

• None.

Deprecations:

• None.

Technology Preview features:

• None.

Enhancements:

• None.

Bug fixes:

• gRPC-Go authorization bypass vulnerability fix: Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 :path pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed :path that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the :path pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. For more information, see https://access.redhat.com/security/cve/cve-2026-33186.
• XPath component fix: Previously, the github.com/antchfx/xpath component did not properly handle certain Boolean XPath expressions. A remote attacker could submit a crafted expression that caused an infinite loop, resulting in 100% CPU utilization and a denial-of-service condition. With this update, the XPath component correctly processes Boolean expressions that evaluate to true. The system no longer enters an infinite loop when handling these expressions. For more information, see https://access.redhat.com/security/cve/cve-2026-4645.
• Go JOSE denial-of-service vulnerability fix: Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial-of-service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. For more information, see https://access.redhat.com/security/cve/cve-2026-34986.
• Lodash _.template function fix: Previously, the lodash _.template function validated the variable option but did not validate options.imports key names. Both options passed values to the same code execution path. An attacker with the ability to control options.imports key names or pollute Object.prototype could exploit this gap to execute arbitrary code. With this update, lodash validates options.imports key names by using the same rules applied to the variable option. The _.template function rejects invalid key names and prevents code injection through this path. For more information, see https://access.redhat.com/security/cve/cve-2026-4800.
• Go crypto/x509 and crypto/tls packages fix: Previously, the Go standard library crypto/x509 and crypto/tls packages did not limit the number of intermediate certificates processed during certificate chain building. An attacker could provide an excessive number of intermediate certificates, causing the system to perform an uncontrolled amount of work and resulting in a denial-of-service condition. With this update, the packages limit the number of intermediate certificates accepted during certificate chain validation. The system rejects certificate chains that exceed this limit. For more information, see https://access.redhat.com/security/cve/cve-2026-32280.
• Go Root.Chmod function fix: Previously, the Root.Chmod function in the Go standard library internal/syscall/unix package had a race condition between checking and modifying a target file. An attacker could replace the target with a symbolic link after the check but before the operation completed, causing the permission change to apply to the linked file instead. This allowed an attacker to bypass directory restrictions and change permissions on unintended files. With this update, the Root.Chmod function prevents this race condition. The function no longer follows symbolic links that replace the target during execution. For more information, see https://access.redhat.com/security/cve/cve-2026-32282.
• Go crypto/x509 package fix: Previously, the Go crypto/x509 package applied excluded DNS constraints to wildcard Subject Alternative Names (SANs) in a case-sensitive manner. An attacker could bypass certificate validation by using a different case in the wildcard SAN than the excluded DNS constraint specified. This allowed the system to accept a malicious certificate that should have been rejected. With this update, the package applies DNS constraints case-insensitively when validating wildcard SANs. Certificate chain verification correctly rejects certificates that match excluded DNS constraints regardless of case. For more information, see https://access.redhat.com/security/cve/cve-2026-33810.
• Go crypto/tls component fix: Previously, the Go crypto/tls component did not re-validate certificates against updated certificate authority (CA) settings during TLS session resumption. If CA settings changed between the initial handshake and a resumed session, the component used the original CA settings. An attacker could exploit this to bypass certificate validation and establish a connection that should have been rejected. With this update, the component validates certificates against the current CA settings during session resumption. Resumed sessions that no longer meet CA requirements are rejected. For more information, see https://access.redhat.com/security/cve/cve-2025-68121.
• jsonparser Delete function fix: Previously, the Delete function in the github.com/buger/jsonparser component did not validate offsets when processing malformed JSON input. A remote attacker could provide crafted JSON data that caused a runtime panic, resulting in a denial-of-service condition. With this update, the Delete function validates offsets before processing. The function handles malformed JSON input as expected. For more information, see https://access.redhat.com/security/cve/cve-2026-32285.
• path-to-regexp component fix: Previously, the path-to-regexp component did not limit the complexity of generated regular expressions. A remote attacker could provide input containing multiple sequential optional groups, causing exponential growth in the generated expression and excessive resource consumption. This resulted in a denial-of-service condition. With this update, the component limits regular expression complexity. Input patterns with sequential optional groups no longer cause excessive resource consumption. For more information, see https://access.redhat.com/security/cve/cve-2026-4926.
• Go net/url.Parse function fix: Previously, the Go net/url.Parse function did not properly validate the host component of URLs containing IP-literals. The function ignored invalid characters preceding IP-literals and accepted URLs that should have been rejected. With this update, the function validates the entire host component. URLs with invalid characters before IP-literals are rejected as malformed. For more information, see https://access.redhat.com/security/cve/cve-2026-25679.
• Go crypto/x509 module fix: Previously, the Go crypto/x509 module did not apply all email address constraints when validating certificates. If a certificate contained multiple email constraints with the same local portion but different domain portions, the module only enforced the last constraint and ignored the others. With this update, the module applies all email address constraints during certificate chain validation. Certificates are validated against every specified email constraint. For more information, see https://access.redhat.com/security/cve/cve-2026-27137.

Known issues:

• Gateway fails to forward OTLP HTTP traffic when receiver TLS is enabled. When Tempo Monolithic is configured with `multitenancy.enabled: true` and `ingestion.otlp.http.tls.enabled: true`, the gateway forwards OTLP HTTP traffic to the Tempo receiver using plain HTTP instead of HTTPS. As a consequence, the connection fails with a `connection reset by peer` error because the receiver expects TLS connections. OTLP gRPC ingestion through the gateway is not affected. Jira issue: https://issues.redhat.com/browse/TRACING-5973.

Solution

For details on how to apply this update, refer to:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators

Fixes

CVEs

• CVE-2025-68121
• CVE-2026-25679
• CVE-2026-27137
• CVE-2026-32280
• CVE-2026-32282
• CVE-2026-32285
• CVE-2026-33186
• CVE-2026-33810
• CVE-2026-34986
• CVE-2026-4645
• CVE-2026-4800
• CVE-2026-4926

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/distributed_tracing/distributed-tracing-platform-tempo