[Skip navigation links]
Login

Impact of the SpringShell vulnerability CVE-2022-22965

Background

The Spring Framework is an application framework for Java.

Spring Framework versions before 5.3.18 have a critical security vulnerability (CVE-2022-22965) allowing remote code execution.

Desktop apps

None of our desktop software on Mac or Windows uses Java or the Spring Framework, so is not affected by CVE-2022-22965.

OnDemand cloud app

None of our cloud software uses Java or the Spring Framework, so is not affected by CVE-2022-22965.

Note: OnDemand runs on Microsoft Azure and Microsoft are still investigating impact. Microsoft have not found any services using the Spring Framework. Microsoft may discover other uses of Spring Framework on Azure as they continue investigating.

Microsoft’s Response to CVE-2022-22965

Infrastructure

None of our core infrastructure uses Java or the Spring Framework, so is not affected by CVE-2022-22965.

Other services

Assessment of Spring Framework use by third party suppliers for services like accounting is ongoing.

Note: This information was correct at the time of publication, but this is still an evolving situation, and this page will be updated as new information becomes available.

Applies to: All products

Last reviewed: April 8, 2022