The ROBOT vulnerability was disclosed on December 8, 2017, which leverages a 19-year old vulnerability in SSL servers. The vulnerability allows unauthorized decryption and signing of vulnerable RSA ciphers using PKCS #1 v1.5 padding. Servers that are configured to support this cipher are vulnerable to attack.
Jama has evaluated our hosted environment and found that our services are not vulnerability to this security risk. Jama's hosted environment does not use the vulnerable RSA cipher on our servers. Customers do not need to do anything to be protected from this vulnerability.
We have also evaluated Jama's application build for on-premises customers. Our default TLS configuration for our application, and for our Replicated UI, are not vulnerable to the ROBOT vulnerability. On-premises customers should be careful when configuring TLS to ensure that they do not enable the vulnerable ciphers in their environment. More information about ROBOT, and how to keep yourself safe from this vulnerability, can be found at https://robotattack.org.