Indeni’s response to Spring4Shell

Last updated: July 31, 2025

Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.

The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog

On March 29th, 2022, a remote code execution vulnerability in Spring Cloud Foundation was published. The vulnerability is known as Spring4Shell, tracked as CVE-2022-22965. Researchers believe that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. Today, the vulnerability was upgraded to critical.

Our engineering team was immediately engaged and confirmed that Indeni is not vulnerable to this issue. The Indeni product does not use JDK 9, nor springframework. If you have additional questions related to Spring4Shell, please do not hesitate to contact us.

Key takeaways

The article reports that on March 29, 2022 a critical remote code execution vulnerability called Spring4Shell (CVE-2022-22965) affecting Spring Core on JDK 9 and above was published and later upgraded to critical. It explains the operational risk of remote code execution in Java/Spring environments and notes the immediate engagement of the engineering team to assess product exposure. The key outcome is that Indeni is confirmed not vulnerable because it does not use JDK 9 or the Spring Framework, and readers are invited to contact the team with further questions.

What is Spring4Shell (CVE-2022-22965) and why is it important?

Spring4Shell, tracked as CVE-2022-22965, is a remote code execution vulnerability published March 29, 2022 that affects Spring Core when running on Java Development Kit versions 9 and above. Remote code execution vulnerabilities are critical because they can allow attackers to run arbitrary code on affected servers, potentially compromising data, availability, and integrity of systems in production. The vulnerability was later upgraded to critical severity, prompting immediate examination by engineering and security teams to determine product exposure and mitigation steps.

Did the vulnerability affect Indeni products and how was that determined?

Following the disclosure and the critical severity upgrade, Indeni’s engineering team was immediately engaged to assess exposure and confirmed that Indeni is not vulnerable to Spring4Shell. The determination was based on product technical characteristics: Indeni does not use JDK 9 (or later) and does not use the Spring Framework, both conditions required for the vulnerability to be exploitable. As a result, no remediation for Indeni was required in response to this specific issue.

Who should I contact if I have additional questions about Spring4Shell and Indeni's assessment?

The article indicates that readers with additional questions related to Spring4Shell are invited to contact the team, implying that Indeni or its engineering/security contacts are available to provide further clarification. For specific follow-up, reach out to your usual Indeni support or engineering contact channels to request details about the assessment, timelines, or any related security guidance. The engineering team engaged immediately upon disclosure and can provide authoritative answers about product exposure and mitigations.

Unlock $120K+ in network ROI

Indeni’s response to Spring4Shell

Related content

Automate your DDI modernization path by migrating with Micetro

How to map your network with user-defined links in Integrity X

Your journey to intelligent NetOps begins at Cisco Live

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)