You may be aware of the news related to a major security flaw in the OpenSSL software, a third party component that is used in the DC RUM product line. This bug, known as Heartbleed, is in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security Protocols) heartbeat extension (RFC6520). The problem may lead to the leaking of memory contents from the server to the client and from the client to the server.
The vulnerability (http://heartbleed.com/) is causing companies to patch affected systems. We have evaluated all Compuware APM products and listed their vulnerability status below:
DC RUM is affected only when:
If your DC RUM installation is affected, implement the fix provided on the APM Community. See the DC RUM Heartbleed Technical Alert for problem resolution details.
|The APMaaS (Gomez) platform does not use OpenSSL. As a precaution, the NOC team performed a security scan, and confirmed that the platform is not vulnerable to the Heartbleed bug.|
|APMaaS for dynaTrace|
|Customers who run the new manual tag injection feature and send the monitor signal via HTTPS could be affected because the Apache server was using a vulnerable OpenSSL version. However, this was fixed on April 10, 2014. All Apache and OpenSSL libraries have been updated. Only two instances of dynaTrace used the new HTTPS-based approach. One was used internally, and the other was not yet connected, so there was no customer impact.|
|dynaTrace does not use OpenSSL.|
Business Service Management, Compuware Security Server, Enterprise Portal
|No ||BSM, CSS, and the Enterprise Portal do not use OpenSSL.|
Synthetic Monitoring (ClientVantage)
| No |
Synthetic Monitoring uses Open SSL version 0.9.7E and 1.0.0a for Transaction Trace. Both versions are not affected. The Synthetic Monitoring Agent Recorder (TestPartner) does not use OpenSSL.
Server Monitoring (ServerVantage)
| No ||Server Monitoring uses OpenSSL version 0.9.6b, which is not affected.|
Transaction Trace Analysis (Application Vantage)
| No ||Transaction Trace uses OpenSSL version 1.0.0a, which is not affected.|
|VantageView|| No ||VantageView does not use OpenSSL.|
|NetworkVantage|| No ||NetworkVantage uses OpenSSL version 0.9.7E, which is not affected.|
|Customer Facing Properties|| No |