This Red Hat security advisory for the OpenTelemetry 3.9.3 build includes fixes for several vulnerabilities: (1) a TOCTOU race condition in libcap's cap_set_file() function allowing local unprivileged users with write access to redirect file capability updates, potentially leading to privilege escalation; (2) an integer overflow in Apache Thrift's TFramedTransport Go implementation that could cause denial of service; (3) denial of service vulnerabilities in Go's crypto/x509 and crypto/tls packages due to unbounded processing of intermediate certificates; (4) a TLS 1.3 connection deadlock caused by multiple key update messages in a single record, leading to resource exhaustion; and (5) an IPC API flaw in systemd that could allow arbitrary code execution or denial of service depending on the version. The advisory confirms these issues are fixed in this release, ensuring file capability updates, integer handling, certificate chain processing, TLS connection handling, and IPC API validation are secure. The update is applicable to Red Hat OpenShift distributed tracing and related components. A known issue with filesystem scraper metrics exists post-upgrade with no workaround. No breaking changes or deprecations are introduced.

The vulnerabilities fixed in this release could allow local privilege escalation via capability injection or stripping, denial of service conditions through resource exhaustion or deadlocks, and potential arbitrary code execution via IPC API misuse in systemd. These impacts affect system stability, availability, and security, particularly in environments using Red Hat OpenShift distributed tracing and related components. The fixes prevent exploitation by ensuring correct file capability updates, safe integer handling, controlled certificate processing, robust TLS connection management, and validated IPC API calls. No known exploits in the wild have been reported, reducing immediate risk but the severity of potential impacts remains high.

A security update is available in Red Hat build of OpenTelemetry 3.9.3 that addresses all listed vulnerabilities. Users should apply this update promptly following Red Hat's official upgrade instructions at https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/operators/administrator-tasks#olm-upgrading-operators. The advisory confirms these vulnerabilities are fixed in this release, so applying the update fully mitigates the risks. No additional workarounds or mitigations are indicated. Note the known issue with filesystem scraper metrics after upgrading; no workaround exists currently.