Red Hat Product Errata RHSA-2025:10098 - Security Advisory
Issued:
2025-07-01
Updated:
2025-07-01

RHSA-2025:10098 - Security Advisory

Synopsis

Important: Red Hat Product OCP Tools 4.16 OpenShift Jenkins security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for OpenShift Jenkins is now available for Red Hat Product OCP
Tools 4.16. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

  • jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370) (CVE-2024-57699)
  • jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length (CVE-2025-22228)
  • jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
  • jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
  • jenkins-2-plugins: jackson-core Potential StackoverflowError (CVE-2025-52999)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

Affected Products

  • OpenShift Developer Tools and Services 4.16 x86_64
  • OpenShift Developer Tools and Services 4.16 s390x
  • OpenShift Developer Tools and Services 4.16 ppc64le
  • OpenShift Developer Tools and Services 4.16 aarch64

Fixes

  • BZ - 2344073 - CVE-2024-57699 json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)
  • BZ - 2353507 - CVE-2025-22228 spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length
  • BZ - 2365137 - CVE-2025-1948 jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability
  • BZ - 2374804 - CVE-2025-52999 com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError

OpenShift Developer Tools and Services 4.16

SRPM
jenkins-2-plugins-4.16.1750857315-1.el9.src.rpm SHA-256: 39ac5ee893af19d02bc6c69b032a4af8aaec9cb546de4a1a4c656e6073fcb6f3
jenkins-2.504.2.1750857144-3.el9.src.rpm SHA-256: 62f228f4c5cc18f3bad6266d61940707ae34d9dc69c2fb8c000c4d616539acae
x86_64
jenkins-2-plugins-4.16.1750857315-1.el9.noarch.rpm SHA-256: e832c818a26ac46c0dc91fce3e4f142343f7bd46f496efe6bcf3987c1d9f27d6
jenkins-2.504.2.1750857144-3.el9.noarch.rpm SHA-256: 55705b2033c02f31167d5e77b01d788663415c653eeffab4093f478e5c2a4c9a
s390x
jenkins-2-plugins-4.16.1750857315-1.el9.noarch.rpm SHA-256: e832c818a26ac46c0dc91fce3e4f142343f7bd46f496efe6bcf3987c1d9f27d6
jenkins-2.504.2.1750857144-3.el9.noarch.rpm SHA-256: 55705b2033c02f31167d5e77b01d788663415c653eeffab4093f478e5c2a4c9a
ppc64le
jenkins-2-plugins-4.16.1750857315-1.el9.noarch.rpm SHA-256: e832c818a26ac46c0dc91fce3e4f142343f7bd46f496efe6bcf3987c1d9f27d6
jenkins-2.504.2.1750857144-3.el9.noarch.rpm SHA-256: 55705b2033c02f31167d5e77b01d788663415c653eeffab4093f478e5c2a4c9a
aarch64
jenkins-2-plugins-4.16.1750857315-1.el9.noarch.rpm SHA-256: e832c818a26ac46c0dc91fce3e4f142343f7bd46f496efe6bcf3987c1d9f27d6
jenkins-2.504.2.1750857144-3.el9.noarch.rpm SHA-256: 55705b2033c02f31167d5e77b01d788663415c653eeffab4093f478e5c2a4c9a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.