1. Gateway is not vulnerable to these CVEs as geode-core and its dependent libraries are not used when the backend cache is Redis.
All other libraries are dependent libraries of geode-core
Im checking with engineering if this library is included or does not when using backend redis cache.
2. regarding spring-web-5.2.5.RELEASE.jar , vulnerabilities has being fixed on CR1 , however there is CR02 which resolve several vulnerabilties and CR03 the last one.
Also we have Montly Path update
which need to be applied also and check again if the vulnerability is resolved.
3. If you have additional questions please open a case with https://support.broadcom.com/