Due to a recently discovered bug in the version of Replicated (the third-party backend technology that drives the Rally On-Premises Admin Console) that is installed on your Rally instance, we strongly recommend that you upgrade to the latest patched version of Replicated. 

There are no known exploits of this vulnerability, however, this bug does have security implications which you should promptly address to avoid exploit or exposure. 

Further details of this bug will be shared from Replicated at a later date. However, prior to their public disclosure, we recommend that you update your servers now. 

As currently observed, this bug allows for the possibility that the private key used to secure the Replicated Admin Console on port 8800 could be exposed to any client able to connect to port 8800 of this server.

This only affects version 2.0 and 2.0.1.  Does not affect 2018.1 and earlier.

If you have uploaded a TLS key and certificate to your Replicated Admin Console on port 8800, and your server is exposed to the public Internet, then besides updating to the latest Replicated version we recommend that you also rotate and revoke this certificate after installing the patched version. Installations that have the default self-signed certificate or have not exposed the Internal Admin Console port (8800) broadly should simply update to the patched version.

Please download the patch with instructions on how to perform the update from the Broadcom Support Portal. If you have any questions, please contact Rally Support.