From securityonline.info
Recently, Apache Hadoop fixed a command injection vulnerability. This bug is caused by a flaw when ZKConfigurationStore is used, an attacker could exploit this vulnerability to inject arbitrary commands and thus achieve remote code execution. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands as a YARN user on the system. Track as CVE-2021-25642, the flaw severity is important. Security researcher Liu Ximing has been credited with reporting this flaw.