You may be aware of the news related to a major security flaw in the OpenSSL software, a third party component that is used in the DC RUM product line. This bug, known as Heartbleed, is in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security Protocols) heartbeat extension (RFC6520). The problem may lead to the leaking of memory contents from the server to the client and from the client to the server.

The vulnerability (http://heartbleed.com/) is causing companies to patch affected systems. We have evaluated all Compuware APM products and listed their vulnerability status below:

ProductAffectedDescription
DC RUM

Yes

You installation of DC RUM may be affected.

DC RUM is affected only when:

  • CAS/ADS version is equal to or higher than version 12.0.3 (SP3), and have SSL communication enabled.
  • AMDs that use Red Hat Enterprise Linux version 6.5 or higher, have an OpenSSL 1.0.1x version that is prior to 1.0.1e-16.el6_5.7, and have SSL communication enabled between the AMD and other components (CAS/ADS, Console or dynaTrace server).

ACTION:

If your DC RUM installation is affected, implement the fix provided on the APM Community. See the DC RUM Heartbleed Technical Alert for problem resolution details.

APMaaS (Gomez)

No

This product is not affected by the Heartbleed bug.

The APMaaS (Gomez) platform does not use OpenSSL. As a precaution, the NOC team performed a security scan, and confirmed that the platform is not vulnerable to the Heartbleed bug.
APMaaS for dynaTrace

No

This product is not affected by the Heartbleed bug.

Customers who run the new manual tag injection feature and send the monitor signal via HTTPS could be affected because the Apache server was using a vulnerable OpenSSL version. However, this was fixed on April 10, 2014. All Apache and OpenSSL libraries have been updated. Only two instances of dynaTrace used the new HTTPS-based approach. One was used internally, and the other was not yet connected, so there was no customer impact.
dynaTraceNo

This product is not affected by the Heartbleed bug. 

 dynaTrace does not use OpenSSL. 

Business Service Management, Compuware Security Server,  Enterprise Portal

No

This product is not affected by the Heartbleed bug.

 BSM, CSS, and the Enterprise Portal do not use OpenSSL.

Synthetic Monitoring (ClientVantage)

No

This product is not affected by the Heartbleed bug.

Synthetic Monitoring uses Open SSL version 0.9.7E and 1.0.0a for Transaction Trace. Both versions are not affected. The Synthetic Monitoring Agent Recorder (TestPartner) does not use OpenSSL.

Server Monitoring (ServerVantage)

No

This product is not affected by the Heartbleed bug.

Server Monitoring uses OpenSSL version 0.9.6b, which is not affected.

Transaction Trace Analysis (Application Vantage)

No

This product is not affected by the Heartbleed bug.

Transaction Trace uses OpenSSL version 1.0.0a, which is not affected.
VantageView No

This product is not affected by the Heartbleed bug.

VantageView does not use OpenSSL.
NetworkVantage No

This product is not affected by the Heartbleed bug.

NetworkVantage uses OpenSSL version 0.9.7E, which is not affected.
Customer Facing Properties No

This product is not affected by the Heartbleed bug.

  • login.compuwareapm.com – This is our single-sign-on server; it uses OpenSSL version 0.9.8y, which is not affected.
  • community.compuwareapm.com – This is the APM Community; it does not use OpenSSL.
  • downloads.compuwareapm.com – This is our software download site; it does not use OpenSSL.
  • go.compuware.com – This is the FrontLine access point; it does not use OpenSSL.
  • help.compuware.com – This domain hosts our customer-facing mobile help; it does not use OpenSSL.
  • www.compuware.com – This is our main website; it uses OpenSSL version 0.9.8y, which is not affected.

Selected Topics

Icon
The license could not be verified: License Certificate has expired!
  • No labels