This is the Trace Id: 6f14e730b8787cc6b1c81c817358ddce
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Microsoft’s Response to CVE-2022-22965 Spring Framework

MSRC
/ By MSRC /

Summary

Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

Microsoft security teams have completed analysis of our products and services to identify and remediate any instances of CVE-2022-22965 in Spring Framework.

Product Specific Guidance

Where risk or vulnerability is identified that requires additional customer actions, the affected customers will be notified accordingly.

Customers must analyze the applications they manage and update or mitigate based on the latest guidance from Spring.

For operating systems, software and applications you deploy to Microsoft services, you are responsible for upgrades and security patching.

Refer to the Security Update information for your Microsoft service to learn more about how software upgrades and security patching are managed for you by the service.

Customers are encouraged to apply the Spring Framework updates as quickly as possible.

We will further update this guidance as we continue to learn from our investigation.

The MSRC Team

Revision History:
04/05/2022 – Initial publication.
06/07/2022 - Updated investigation status

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads