CVE-2022-43396: 
Java vulnerability analysis and mitigation

Apache Kylin reported a high-severity command injection vulnerability (CVE-2022-43396) that affects Kylin 2.x, 3.x, and 4.x versions. The vulnerability stems from a bypass in the blacklist used to filter user input commands, which was initially implemented as a fix for CVE-2022-24697. The issue was discovered and reported by researchers Yasax1 Li and Messy God (SecurityOnline).

The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw allows authenticated users to bypass the blacklist filtering mechanism by controlling the kylin.engine.spark-cmd parameter of conf (NVD).

If successfully exploited, this vulnerability could allow an authenticated remote attacker to execute arbitrary commands on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (SecurityOnline).

Users are strongly advised to upgrade to Apache Kylin version 4.0.3 or later to address this vulnerability. This version contains the necessary security fixes to prevent the command injection attack (SecurityOnline).