How to automatically check if a Control-M/Agent is impacted by any of the known vulnerabilities discussed in Knowledge Article 000442099?

Control-M/Agent Vulnerability Reports

BMC offers you scripts and jobs to identify whether your Control-M/Agents might be impacted by any of the known vulnerabilities discussed in Knowledge Article 000442099.

These CVE Analyzer scripts and jobs support all versions of Control-M/Agent since version 9.0.18.

Control-M/Agent Vulnerability reports generated by the CVE Analyzer contain the following sections of information:

• A summary of Agent configuration
• An analysis of whether each of the known CVEs impacts the Agent
• A summary of the number of detected CVEs

Example output:

===============================================
============= Script version 02.0 =============
============= Agent configuration =============
===============================================
OS type aix
Host name va-ctm-66
Agent User Account ctm66
Agent Home /home/ctm66/ctm_agent/ctm
Agent version 9.0.22.000
Comm option SSL=Y
Java AR Y
Authorized CTM IP
kdb_keystore PKCS12
use_openssl Y
keyfile /home/ctm66/ctm_agent/ctm/data/SSL/cert/agjks.p12
security_level 4
ALLOW_ACL -*-
DENY_ACL --
Blowfish in use 0
Certificate expire date notAfter=Oct 21 20:18:36 2034 GMT
Using default keystore 1
Using default password 1
===============================================
============= Start of CVE report =============
===============================================
CVE-2025-55108 - Not detected. Control-M/Agent is running in SSL/TLS mode
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962
CVE-2025-55109 - Detected. Using default Keystore of type PKCS12
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441963
CVE-2025-55110 - Detected. Using default Keystore password
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441964
CVE-2025-55112 - Not detected. AES encryption is used
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441966
CVE-2025-55113 - Not detected. Not relevant - ACL not in use
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967
CVE-2025-55114 - Not detected. Not relevant - AUTHORIZED_CTM_IP not in use
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441968
CVE-2025-55115 - Not detected. Not relevant with current version 9.0.22.000
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441969
CVE-2025-55116 - Not detected. Not relevant with current version 9.0.22.000
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441969
CVE-2025-55117 - Not detected. Not relevant when JAVA_AR is Y
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441972
CVE-2025-55118 - Not detected. Not relevant when JAVA_AR is Y
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441972
CVE-2025-55111 - Detected. The following directories and files have world permissions and should be considered for removal of these permissions
/home/ctm66/ctm_agent/ctm/data/PASSWRDS.dat
/home/ctm66/ctm_agent/ctm/data/JAVACONF.dat
More information at https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441965
===============================================
============= CVE summary =====================
===============================================
CVE's Detected: 2
Fix the errors, then run this report again
===============================================

The following procedures describe how to obtain and use the CVE Analyzer scripts and jobs:

• For a description of how to obtain the CVE Analyzer files, see "Obtaining the CVE Analyzer Scripts and Jobs".
• You can use the provided jobs or scripts through the Control-M client, Control-M Web, or Control-M Automation API, as described in the following procedures:
  • Using a CVE Analyzer Job to Generate a Vulnerability Report
  • Using a CVE Analyzer Script to Generate a Vulnerability Report

Obtaining the CVE Analyzer Scripts and Jobs

The following procedure describes how to obtain the CVE Analyzer scripts and jobs.

1. Access the following storage location: https://control-m-pre-ga.s3.dualstack.us-east-1.amazonaws.com/Agent/CVE_Analyzer/CVE_Analyzer.zip
2. Download CVE_analyzer.zip.
3. Extract the zip file and store its contents in a location of your choice.
   The zip file contains the following files:
   • CVE_analyzer_Unix.json: CVE Analyzer job for Agents on UNIX or Linux platforms
   • CVE_analyzer_Win.json: CVE Analyzer job for Agents on Windows platforms
   • CVE_analyzer.sh: CVE Analyzer script for Agents on UNIX or Linux platforms
   • CVE_analyzer.bat: CVE Analyzer script for Agents on Windows platforms

Using a CVE Analyzer Job to Generate a Vulnerability Report

The following procedure describes how to use the provided JSON-format job definition file to generate a vulnerability report for your Control-M/Agent in Control-M Web or Control-M Automation API.

Before You Begin:

• (Control-M Automation API) Ensure that you have a Control-M environment that connects to the Control-M REST API endpoint. If necessary, run the environment add API command to add an environment.

Begin:

1. Open the relevant JSON-format job definitions file (CVE_analyzer_Unix.json for UNIX/Linux, or CVE_analyzer_Win.json for Windows) in any text editor, and set values for the following settings:
   • ControlmServer: Defines the Control-M/Server that the Control-M/Agent is associated with.
   • Host: Defines the Control-M/Agent host name or host group.
   • RunAs: Defines the name of the user responsible for running jobs on the Agent.
2. Make the provided JSON-format job definitions file available to Control-M:
   • Control-M Web: Import the JSON with the Import from File... option, as described in Importing a Workspace.
   • Automation API: Deploy the JSON file by running the deploy command: ctm deploy <JSON_Full_Path>
3. Run the job defined by the JSON definitions file:
   • Control-M Web: Find the imported CVE Analyzer job in the Planning domain and run it as described in Running a Workspace, Folders, or Jobs.
   • Automation API: Use the following run command:
     ctm run <JSON_Full_Path>
     If one or more CVEs are detected, the job status is Ended Not OK.
4. Access the job output in the Monitoring domain to view the generated report.
5. Address issues detected in the generated report.
6. Rerun the job after you resolve issues. Repeat the reruns until no issues are detected.

Using a CVE Analyzer Script to Generate a Vulnerability Report

The following procedure describes how to use the provided CVE Analyzer script in an Embedded Script job in Control-M to generate a vulnerability report for your Control-M/Agent.

Begin

1. In the Planning domain, create an OS job to execute an embedded script, as described in Creating a Job and OS Job.
2. Open the relevant script file (CVE_analyzer.sh for UNIX/Linux, or CVE_analyzer.bat for Windows) in any text editor, and copy its contents.
3. Navigate to the General settings in your OS job, and do the following:
   1. Paste the script contents in the Script field.
   2. Define a file name in the File name field.
4. After you finish configuring all other job attributes and settings, save your job.
5. Run your OS job as described in Running a Workspace, Folders, or Jobs.
   If one or more CVEs are detected, the job status is Ended Not OK.
6. Access the job output in the Monitoring domain to view the generated report.
7. Address issues detected in the generated report.
8. Rerun the job after you resolve issues. Repeat the reruns until no issues are detected.