CVE-2022-24697: 
Java vulnerability analysis and mitigation

Apache Kylin, an open-source Distributed Analytical Data Warehouse for Big Data, was found to contain a command injection vulnerability (CVE-2022-24697) in its cube designer function. The vulnerability was discovered by Kai Zhao of the ToTU Security Team and affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier. The vulnerability was disclosed on October 11, 2022 (Security Online, CVE Mitre).

The vulnerability exists in the configuration overwrites menu when overwriting system parameters. An attacker can execute arbitrary commands by closing the single quotation marks around the parameter value of "--conf=" to inject operating system commands into the command line parameters. This vulnerability was later found to have an incomplete fix, leading to CVE-2022-43396, where the blacklist implementation used to filter user input commands could be bypassed through the kylin.engine.spark-cmd parameter of conf (Openwall).

The vulnerability allows remote code execution (RCE) capabilities, enabling attackers to execute arbitrary commands on the system through specially-crafted requests using the value parameter (Security Online).

Users of affected versions are advised to upgrade to Apache Kylin version 4.0.2 or apply the patch available at GitHub PR #1811. However, due to an incomplete fix, users should further upgrade to version 4.0.3 or apply the patch in GitHub PR #2011 to address the subsequent CVE-2022-43396 (Openwall).