Improved

• The Insight Agent can now find Log4j version 1.x JAR files. A vulnerability check that flags instances of this outdated software library will be available following the 6.6.129 version release for InsightVM on March 2, 2022.

Security Update

• We fixed CVE-2022-0237, a privilege escalation vulnerability affecting the Insight Agent. This issue could have allowed a local user to hijack the flow of execution via a malicious program file, potentially resulting in elevated rights and persistent access to the machine. Special thanks to Ryan Schachtschneider for discovering and reporting this vulnerability to Rapid7.