CVE-2021-37942: 
Java vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2021-37942) was discovered in the Elastic APM Java agent versions 1.18.0 through 1.27.0. The vulnerability was disclosed on December 9, 2021, affecting the APM Java agent component of Elastic's application performance monitoring system (Elastic Advisory).

The vulnerability allows a local user to attach a malicious plugin to an application running the APM Java agent. The issue has been assigned a CVSS v3.1 base score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) by NIST NVD, while Elastic assigned it a score of 7.0 HIGH (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

By exploiting this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to, leading to privilege escalation on the affected system (Elastic Advisory).

Users are advised to update to version 1.27.1 or newer of the APM Java agent. Alternatively, users can switch to the unaffected -javaagent-based installation method as a workaround (Elastic Advisory).