CVE-2025-55117

BMC Control-M/Agent buffer overflow in SSL/TLS communication

Severity: Medium (5.3)

A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured.

CVE-2025-55118

BMC Control-M/Agent memory corruption in SSL/TLS communication

Severity: High (8.9)

Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured.

These CVEs can occur in the following scenarios:

• With Control-M/Agent 9.0.21 and 9.0.22 when the Agent configuration is set to the non-default settings "JAVA_AR=N" in CONFIG.dat and "use_openssl=n" in the site.plc file
• With Control-M/Agent 9.0.20 and lower when the SSL/TLS configuration is set to the non-default setting "use_openssl=n" in the site.plc file

Determine which Control-M/Agents use SSL/TLS communication with Control-M/Server:

1. Open the Control-M Configuration Manager (CCM)
2. If the SSL column is not currently showing, right click on any column header and select "Column chooser"
3. From the Column chooser dialog, drag the "SSL" column into the columns view.
4. Select each Control-M/Server in the tree on the left to view the Control-M/Agents in the middle pane
5. In the "Type" column header, set the filter to "Control-M Agent"
6. Sort by the SSL column and any Agents with SSL set to "Enabled" will need to be handled below
7. To create a file with this list of Agents, select the drop-down on the top left next to Home, then select Exports List

For all Control-M/Agents 9.0.21 and 9.0.22 that have SSL/TLS Enabled

1. Run the following command as the Control-M/Agent user (Unix/Linux) or Command Prompt (Windows) to check the value for the parameter "JAVA_AR":

   ctmcfg -TABLE CONFIG -ACTION DISPLAY -PARAMETER JAVA_AR

   If set to Y, no further action is needed.

2. Backup the Control-M/Agent's <Agent Home>/data/CONFIG.dat file
3. If the "JAVA_AR" parameter is currently set to N, change the value to Y by running the following command. 
   ctmcfg -TABLE CONFIG -ACTION UPDATE -PARAMETER JAVA_AR -VALUE Y
4. If JAVA_AR was changed from N to Y, recycle the Control-M/Agent to make the configuration change take effect

For all Control-M/Agents 9.0.20 and lower that have SSL/TLS Enabled

Primary Solution:

Upgrade to a fully supported version of Control-M/Agent.

BMC recommends upgrading Control-M/Agent to the latest major version and Fix Pack available.

Alternate Solution:

1. Check and correct the value of the "use_openssl" parameter:
   • Windows:
     1. Run the following command to check the value of "use_openssl" in the Agent registry keys:
        reg query "HKLM\SOFTWARE\BMC Software\Control-M/Agent" /v use_openssl /s
     2. If any "use_openssl" key is set to "N", backup the keys with the following command:
        reg query "HKLM\SOFTWARE\BMC Software\Control-M/Agent" > BackupFileName
     3. For each key where "use_openssl" is set to "N", set it back to the default value of "Y" with the following, where <key path> is the key's path returned from the above query in step a:

        reg add <key path> /v use_openssl /d Y /f

        For example:

        reg add "HKLM\SOFTWARE\BMC Software\Control-M/Agent\SecurityPolicy\site\server" /v use_openssl /d Y /f

   • UNIX/Linux:
     1. Login as the Control-M/Agent user and run the following command to check the value for "use_openssl" in the plc files with the following command:
        grep use_openssl $CONTROLM/data/SSL/cert/*.plc
     2. If "use_openssl" is set to "N" on any lines, back up and edit the relevant file.
     3. Under the "[server]" or "[client]" sections, set the parameter back to the default value of "Y" and save the changes.

        Example site.plc file:

        [server]
        openssl_threads=Y
        kdb_keystore=PKCS12
        use_openssl=Y

        [client]
        openssl_threads=Y
        kdb_keystore=PKCS12
        use_openssl=Y

2. If use_openssl was changed from N to Y, recycle the Control-M/Agent for the change to take effect.