Change Auditor does not use Spring, therefore is not affected by CVE-2022-22965.
NOTE: If you are licensed for and use Threat Detection, it is also not affected by this vulnerability. TD does use an older version of Spring (4.2.8) and Java JDK8, however, as per the description of the vulnerability, JDK9+ is a requirement for this CVE.