Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.
Microsoft security teams have completed analysis of our products and services to identify and remediate any instances of CVE-2022-22965 in Spring Framework.
Where risk or vulnerability is identified that requires additional customer actions, the affected customers will be notified accordingly.
Customers must analyze the applications they manage and update or mitigate based on the latest guidance from Spring.
For operating systems, software and applications you deploy to Microsoft services, you are responsible for upgrades and security patching.
Refer to the Security Update information for your Microsoft service to learn more about how software upgrades and security patching are managed for you by the service.
Customers are encouraged to apply the Spring Framework updates as quickly as possible.
We will further update this guidance as we continue to learn from our investigation.
The MSRC Team
Revision History:
04/05/2022 – Initial publication.
06/07/2022 - Updated investigation status