CVE-2021-37942 – This vulnerability allows a local user to escal... (How to Fix)

Q: What is the severity of CVE-2021-37942?

CVE-2021-37942 has a CVSS score of 7.0 (HIGH). This vulnerability allows a local user to escalate privileges by attaching a malicious plugin to an application running the Elastic APM Java agent. Attackers could execute code with higher permissions than their normal user account. Systems using vulnerable versions of the Elastic APM Java agent are affected.

📋 TL;DR

This vulnerability allows a local user to escalate privileges by attaching a malicious plugin to an application running the Elastic APM Java agent. Attackers could execute code with higher permissions than their normal user account. Systems using vulnerable versions of the Elastic APM Java agent are affected.

💻 Affected Systems

Products:

Elastic APM Java Agent

Versions: Versions prior to 1.28.4

Operating Systems: All operating systems running Java applications with APM agent

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system where the APM Java agent is deployed and local users can attach plugins.

📦 What is this software?

Apm Java Agent by Elastic

View all CVEs affecting Apm Java Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root/administrator privileges on the system, leading to complete system compromise.

🟠

Likely Case

Local user escalates to the privileges of the application running the APM agent, potentially gaining access to sensitive data or performing unauthorized actions.

🟢

If Mitigated

Attack limited to users with local access; proper privilege separation and monitoring would contain impact.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access.

🏢 Internal Only: HIGH - Internal users with local access could exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to attach plugins to running applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.28.4 and later

Vendor Advisory: https://discuss.elastic.co/t/apm-java-agent-security-update/291355

Restart Required: Yes

Instructions:

1. Download APM Java agent version 1.28.4 or later from Elastic. 2. Replace the existing agent JAR file with the updated version. 3. Restart all Java applications using the APM agent.

🔧 Temporary Workarounds

Restrict local plugin attachment

all

Implement access controls to prevent unauthorized users from attaching plugins to running Java applications.

Configure Java security policies to restrict plugin attachment capabilities

🧯 If You Can't Patch

Restrict local user access to systems running APM Java agent
Implement strict privilege separation between applications and users

🔍 How to Verify

Check if Vulnerable:

Check the APM agent version: java -jar apm-agent.jar --version

Check Version:

java -jar apm-agent.jar --version

Verify Fix Applied:

Verify version is 1.28.4 or higher: java -jar apm-agent.jar --version

📡 Detection & Monitoring

Log Indicators:

Unauthorized plugin attachment attempts in APM logs
Unexpected privilege escalation events in system logs

Network Indicators:

None - this is a local attack

SIEM Query:

Search for 'plugin attachment' or 'APM agent' events from unauthorized users

📊 Metadata

CVE ID: CVE-2021-37942

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

https://discuss.elastic.co/t/apm-java-agent-security-update/291355 Vendor Advisory
https://www.elastic.co/community/security Product
https://discuss.elastic.co/t/apm-java-agent-security-update/291355 Vendor Advisory
https://www.elastic.co/community/security Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37942, you might also want to check these: