What are the steps needed to resolve the following CVEs?

For Control-M Administrators:

The solutions below entail implementing SSL/TLS and remediating specific vulnerabilities according to the Agent version.
Deviation from these documented steps can lead to exposure to these CVEs.

Steps to resolve all of the CVEs:

1. Upgrade Control-M/Agents to version 9.0.21.xxx or 9.0.22.
2. Ensure the JAVA_AR parameter is set to Y.
   See article 000441972 for details.
3. Ensure SSL/TLS is implemented on all Agents according to best practices.
   • In the default configuration with all Agents currently in TCP mode:
     • See article 000442271 for best practices and procedures for implementing SSL/TLS for the first time, including other corrective actions needed.
   • With some or all Agents in SSL/TLS mode:
     • See article 000442490 for procedures to update your SSL/TLS configuration with the latest best practices.

FAQ:

• Are there any steps to immediately lessen the impact of these CVEs?
  • Until you are able to implement the recommended solution, have your network team implement firewall rules to only allow access to the Control-M/Agent's Server-to-Agent port from authorized Control-M/Server machines.
    See article 000230698 for a list of ports Control-M uses.
• Is there any alternate solution for Control-M/Agents below 9.0.21?
  • The only option to resolve all CVEs is to upgrade to version 9.0.21 or higher and perform the solution steps for that version.
• If I already have SSL/TLS implemented, am I affected?
  • It is still possible to be affected if SSL/TLS is not implemented according to best practices (article 000442490).
• Do these CVEs affect Remote Hosts/Agentless?
  • No, there is no effect on Remote Hosts/Agentless.

For Security Administrators:

Summary: