Primary

Context

BMC Control-M/Agent Memory Corruption Vulnerability in SSL/TLS Communication

Vulnerability

Patched

A memory corruption vulnerability has been identified in BMC Control-M/Agent versions 9.0.22 and lower, for both UNIX and Windows. This vulnerability can be remotely triggered when SSL/TLS communication is enabled, under specific non-default configuration settings.

Impact

Exploitation of this vulnerability leads to memory corruption, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Remediation

For Control-M/Agents 9.0.21 and 9.0.22, ensure the 'JAVA_AR' parameter is set to 'Y' and recycle the agent to apply the change. For Control-M/Agents 9.0.20 and lower, upgrade to a supported version and check that 'use_openssl' is set to 'Y'.

Added: Sep 16, 2025, 3:04 PM

Updated: Sep 16, 2025, 3:04 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.6

exploitability

7.0

remediation

8.3

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.6

exploitability

7.0

remediation

8.3

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BMC Control-M/Agent Memory Corruption Vulnerability in SSL/TLS Communication

Vulnerability

Impact

Remediation

Affected Products

BMC Control-M/Agent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating