The critical vulnerability CVE-2022-22965 belongs to the RCE class, that is, it allows an attacker to remotely execute malicious code.  The vulnerability affects Spring MVC and Spring WebFlux applications running under Java Development Kit version 9 or later.


  • The FlexDeploy application (Tomcat and WebLogic) and its plugins do not include any Spring MVC and Spring WebFlux, hence it is not susceptible to this vulnerability.  
  • Additionally, JDK9  or above is affected.  FlexDeploy not using JDK 9 at this point. 
  • Customers are advised to look into any custom-developed plugins, scripts, and other products that are used in conjunction with FlexDeploy for this vulnerability as well.