CVE-2022-25168: 
Java vulnerability analysis and mitigation

Apache Hadoop's FileUtil.unTar(File, File) API contains a command injection vulnerability (CVE-2022-25168) discovered in February 2022. The vulnerability exists because the API does not escape the input file name before being passed to the shell, allowing attackers to inject arbitrary commands. This affects Apache Hadoop versions prior to 2.10.2, 3.2.4, and 3.3.3 (Apache List, Security Online).

The vulnerability resides in the FileUtil.unTar(File, File) API implementation. In Hadoop 3.3, it affects the InMemoryAliasMap.completeBootstrapTransfer functionality, which is only executed by local users. However, in Hadoop 2.x, it affects yarn localization, enabling remote code execution. The vulnerability is also present in Apache Spark's SQL command ADD ARCHIVE, though in this context, executing shell scripts doesn't grant additional permissions to the caller as the command already adds new binaries to the classpath. The vulnerability has received a CVSS score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The impact is particularly severe in Hadoop 2.x implementations where remote code execution is possible through yarn localization (NetApp Advisory).

Users are advised to upgrade to Apache Hadoop versions 2.10.2, 3.2.4, 3.3.3 or higher, which include the fix (HADOOP-18136). For Apache Spark users, version 3.3.0, 3.1.4, and 3.2.2 include SPARK-38305 ('Check existence of file before untarring/zipping'), which prevents shell commands from being executed regardless of the Hadoop library version in use (Apache List).