This Red Hat OpenShift Tempo 3.9.2 release includes security fixes for several vulnerabilities: a gRPC-Go authorization bypass caused by improper validation of the HTTP/2 :path pseudo-header allowing attackers to bypass security policies; an XPath component infinite loop leading to CPU exhaustion; a Go JOSE library denial-of-service via malformed JSON Web Encryption objects; lodash _.template function code injection risk through unvalidated options.imports keys; Go crypto/x509 and crypto/tls package fixes addressing denial-of-service and certificate validation bypasses; a race condition in Go's Root.Chmod function allowing permission changes on unintended files; and denial-of-service issues in JSON parser and path-to-regexp components due to malformed inputs or complex regex patterns. Each vulnerability is mitigated by proper input validation, limiting resource consumption, or correcting logic errors.

The vulnerabilities fixed in this release could allow remote attackers to bypass authorization controls, cause denial-of-service conditions by exhausting CPU or memory resources, execute arbitrary code through template injection, or bypass TLS certificate validation leading to unauthorized connections. These impacts affect the confidentiality, integrity, and availability of services running Red Hat OpenShift Tempo prior to version 3.9.2. No known exploits in the wild have been reported at this time.

An official fix is available in Red Hat OpenShift distributed tracing platform (Tempo) version 3.9.2. Users should upgrade to this version to address the described vulnerabilities. The vendor advisory confirms that these issues are resolved in this release. No additional mitigation actions are required beyond applying this update.