Is ObserveIT vulnerable to some reported CVE ?

Document ID : KB000105906
Last Modified Date : 11/07/2018
Show Technical Document Details
Question:
In the servers where we have installed  ObserveIT, version 5.7.4.0, when carrying out a vulnerability scan we have come up with the following ones.

-CVE-2016-2183
-CVE-2017-6168 CVE-2017-17382 CVE-2017-17427 CVE-2017-17428 CVE-2017-12373 CVE-2017-13098 CVE-2017-1000385 CVE-2017-13099 CVE-2016-6883 CVE-2012-5081
-CVE-2011-3389
-CVE-2013-2566 CVE-2015-2808
-CVE-2014-3566

Can you tell us if it is compatible with the product version that we currently have installed?
Environment:
CA PIM 12.8 and 12.9
Answer:
Basically, ObserveIT is not vulnerable to the open SSL bug (heartbleed) as it does not use open SSL. and the ObserveIT Application server is Microsoft-IIS based, which used Only Microsoft  technology and hence it is not susceptible to the HeartBleed vulnerability. 

Most of the issues that were reported are TLS 1.0 and 1.1 issues, and this was due to the usage of .Net 3.5 in older ObserveIT versions, such 5.7.4.0. 

Since ObserveIT v7.4 it is using .Net 4 and the system now supports TLS v1.2. 

It is  suggested to upgrade the version to a newer one in order to be able to resolve  vulnerabilities coming from the usage of TLS 1.0 and 1.1.