Welcome to the Centrify Express Forums,
We appreciate you bringing this to our attention. Note that Centrify-enhanced OpenSSH is an optional component provided with our suite and customers can upgrade to any newer version of stock SSH at any point.
Can you provide us with the name of the tool and the CVEs referred by your tool and the version of Centrify OpenSSH you're using?
Reference Suite 2016.1 ships with OpenSSH 7.2p2 and there are vulnerabilities that may or may not apply to our version.
Commercial customers with access to the support portal can review the announcements page for any security advisories that affect our software.
Nonetheless, in the next few days we'll be releasing Centrify Server Suite 2017 that will upgrade our ehnanced version of OpenSSH to be based on 7.3p1.
Please provide the requested information and we will follow-up on this post.
Finally, note that you're posting in the Centrify Express forum. If you're a commercial for-profit organization relying on Centrify software for PCI compliance, you should be using our commercial versions (Standard or Enterprise); aside from full functionality, you can get SLA-based (standard or 24x7 support); if you're a commercial customer posting in this forum, please ignore the message.
R.P