Workiva is closely monitoring the evolving investigation into newly disclosed vulnerabilities in the Java Spring Framework, including CVE-2022-22965 and CVE-2022-22950.
We will continue to work with our internal teams and third-parties to ensure prompt awareness of any upstream risk.
Update: April 7, 11:22pm CDT
Workiva does not use any version of Spring Cloud Function and is not vulnerable to the attacks described in CVE-2022-22963.
We have additionally determined that our usage of Spring Framework is not deployed in a configuration vulnerable to the attacks described in CVE-2022-22965 and CVE-2022-22950. However, out of an abundance of caution, we are patching all instances of Spring Framework within our patching guidelines.
Workiva will continue to monitor the incident and work closely with our vendors to ensure our platform remains unaffected.