The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3607.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff




====================================================================
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 release
Advisory ID:        RHSA-2025:3607-03
Product:            Red Hat OpenShift distributed tracing
Advisory URL:       https://access.redhat.com/errata/RHSA-2025:3607
Issue date:         2025-04-04
Revision:           03
CVE Names:          CVE-2025-2786
====================================================================

Summary: 

Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 has been released




Description:

Release of Red Hat OpenShift distributed tracing provides following security improvements, bug fixes, and new features.
The Red Hat OpenShift distributed tracing (Tempo) 3.5.1 is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] release 2.7.1.

Breaking changes:
* With this update, for a user to create or modify a TempoStack or TempoMonolithic CR with enabled multi-tenancy, the user must have permissions to create a TokenReview and SubjectAccessReview.

Deprecations:
* Nothing

Technology Preview features:
* Nothing

Enhancements:
* Nothing

Bug fixes:
* https://access.redhat.com/security/cve/CVE-2025-2786
* https://access.redhat.com/security/cve/CVE-2025-2842

Known issues:
* Currently, when the OpenShift tenancy mode is enabled, the ServiceAccount of the gateway component of a TempoStack or TempoMonolithic instance requires the TokenReview and SubjectAccessReview permissions for authorization. Workaround: deploy the instance in a dedicated namespace, and carefully audit which users have permission to read the Secrets in this namespace.


Solution:

https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators



CVEs:

CVE-2025-2786

References:

https://access.redhat.com/security/cve/CVE-2025-2786
https://access.redhat.com/security/cve/CVE-2025-2842
https://access.redhat.com/security/cve/CVE-2025-30204
https://access.redhat.com/security/updates/classification/
https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/distributed_tracing/distributed-tracing-platform-tempo