Impact of the SpringShell vulnerability CVE-2022-22965
The Spring Framework is an application framework for Java.
Spring Framework versions before 5.3.18 have a critical security vulnerability (CVE-2022-22965) allowing remote code execution.
None of our desktop software on Mac or Windows uses Java or the Spring Framework, so is not affected by CVE-2022-22965.
OnDemand cloud app
None of our cloud software uses Java or the Spring Framework, so is not affected by CVE-2022-22965.
Note: OnDemand runs on Microsoft Azure and Microsoft are still investigating impact. Microsoft have not found any services using the Spring Framework. Microsoft may discover other uses of Spring Framework on Azure as they continue investigating.
Microsoft’s Response to CVE-2022-22965
None of our core infrastructure uses Java or the Spring Framework, so is not affected by CVE-2022-22965.
Assessment of Spring Framework use by third party suppliers for services like accounting is ongoing.
Note: This information was correct at the time of publication, but this is still an evolving situation, and this page will be updated as new information becomes available.
Applies to: All products
Last reviewed: April 8, 2022