The Red Hat OpenShift distributed tracing platform (Tempo) 3.5.1 release incorporates security fixes for several vulnerabilities, including CVE-2025-2786 and CVE-2025-2842. The update is based on Grafana Tempo 2.7.1 and enforces stricter permission requirements for managing multi-tenant TempoStack or TempoMonolithic custom resources, specifically requiring TokenReview and SubjectAccessReview permissions. A known issue requires the gateway component's ServiceAccount to have these permissions when tenancy mode is enabled, with a workaround involving deployment in a dedicated namespace and auditing Secret access. The vendor advisory confirms the availability of this update and provides detailed upgrade guidance. No exploits in the wild have been reported, and no additional enhancements or deprecations are included.

The vulnerabilities addressed in this release are rated high severity, indicating a significant security risk if left unpatched. The update enforces stricter permission controls to prevent unauthorized creation or modification of multi-tenant tracing resources, reducing the risk of privilege escalation or unauthorized access. The known issue related to required permissions for the gateway component may impact deployment configurations but does not indicate an active exploit. No known exploits in the wild have been reported.

A fix is available in Red Hat OpenShift distributed tracing platform (Tempo) version 3.5.1. Users should apply this update following the vendor's documented upgrade procedures. When enabling tenancy mode, ensure that the ServiceAccount of the gateway component has TokenReview and SubjectAccessReview permissions. As a workaround for the known issue, deploy the instance in a dedicated namespace and carefully audit which users have permission to read Secrets in that namespace. Follow Red Hat's official advisory and documentation for detailed instructions.