Microsoft’s Response to CVE-2022-22965 Spring Framework

Summary

Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

Microsoft security teams continue to analyze our products and services to identify any instances of CVE-2022-22965 in Spring Framework. If vulnerable instances are discovered, we will update or mitigate based on the latest guidance from Spring. 

Product Specific Guidance

Where risk or vulnerability is identified that requires additional customer actions, the affected customers will be notified accordingly.

Customers must analyze the applications they manage and update or mitigate based on the latest guidance from Spring.

For operating systems, software and applications you deploy to Microsoft services, you are responsible for upgrades and security patching.

Refer to the Security Update information for your Microsoft service to learn more about how software upgrades and security patching are managed for you by the service.

Customers are encouraged to apply the Spring Framework updates as quickly as possible.

We will further update this guidance as we continue to learn from our investigation.

The MSRC Team

Revision History: 
04/05/2022 – Initial publication.