Mendix will probably also react here but the response from slack from the CISO:
Mendix Runtime doesn't use Spring, Marketplace components might use them, however 'The specific exploit requires the application to run on Tomcat as a WAR deployment.' which isn't used in Mendix Cloud
Regards,
Ronald
Don't know about the impact, but latest version of the LDAP Synchronization module from Marketplace (v.8.0.0 January 21, 2020) contains these spring*.jar files:
Ldap_v8.0.0_Mx7.23.4\userlib\spring*
spring-beans-5.2.1.RELEASE.jar
spring-beans-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-core-5.2.1.RELEASE.jar
spring-core-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-ldap-core-2.3.2.RELEASE.jar
spring-ldap-core-2.3.2.RELEASE.jar.LDAPSynchronizationModule.RequiredLib
spring-tx-5.2.1.RELEASE.jar
spring-tx-5.2.1.RELEASE.jar.LDAPSynchronizationModule.RequiredLib