Skip navigation
1 2 3 Previous Next

Security Bulletins

76 posts

Severity: Medium

 

Summary: Tableau Server and Tableau Desktop may misinterpret part of a password as a delimiter and fail to remove the entire password when writing log statements. Tableau writes logs to access-controlled areas of the files system.

 

Impact: A password used to connect with an ODBC-based connector may result in partial password disclosure. If the password contains one or more certain special characters, Tableau will interpret the characters as delimiters. In this case, a portion of the password will be written in cleartext to the application logs. An attacker with access to these log files will have access to a portion of the password, thereby increasing the probability of a successful brute-force attack on the database.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.15

Tableau Server 10.4 through 10.4.11

Tableau Server 10.5 through 10.5.8

Tableau Server 2018.1 through 2018.1.5

Tableau Server 2018.2 through 2018.2.2

Tableau Server 2018.3

 

Tableau Server on Linux 10.5 through 10.5.8

Tableau Server on Linux 2018.1 through 2018.1.5

Tableau Server on Linux 2018.2 through 2018.2.2

 

Tableau Desktop 10.0 through 10.0.20

Tableau Desktop 10.1 through 10.1.19

Tableau Desktop 10.2 through 10.2.15

Tableau Desktop 10.3 through 10.3.15

Tableau Desktop 10.4 through 10.4.11

Tableau Desktop 10.5 through 10.5.8

 

Tableau Bridge 2018.2 through 2018.2.0.18.0918.0707

 

Tableau Prep 2018.1.1 through 2018.3.1

              

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.16

Tableau Server 10.4.12

Tableau Server 10.5.9

Tableau Server 2018.1.6

Tableau Server 2018.2.3

Tableau Server on Linux 10.5.9

Tableau Server on Linux 2018.1.6

Tableau Server on Linux 2018.2.3

 

Tableau Desktop 10.0.21

Tableau Desktop 10.1.20

Tableau Desktop 10.2.16

Tableau Desktop 10.3.16

Tableau Desktop 10.4.12

Tableau Desktop 10.5.9

Tableau Desktop 2018.1.6

Tableau Desktop 2018.2.3

 

Tableau Bridge 2018.3.0.18.1016.2147

 

Tableau Prep 2018.3.2

Severity: High

 

Summary: Tableau Server makes use of the Java JRE. The July 2018 updates to the Java JRE contained an unspecified High severity issue (CVE-2018-2942) that might present a risk to Tableau Server.

 

Impact: From http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA

Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

 

This vulnerability may allow for the compromise of the integrity, confidentiality and availability of Tableau Server.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.15

Tableau Server 10.4 through 10.4.11

Tableau Server 10.5 through 10.5.8

Tableau Server 2018.1 through 2018.1.5

Tableau Server 2018.2 through 2018.2.2

Tableau Server on Linux 10.5 through 10.5.8

Tableau Server on Linux 2018.1 through 2018.1.5

Tableau Server on Linux 2018.2 through 2018.2.2

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.16

Tableau Server 10.4.12

Tableau Server 10.5.9

Tableau Server 2018.1.6

Tableau Server 2018.2.3

Tableau Server on Linux 10.5.9

Tableau Server on Linux 2018.1.6

Tableau Server on Linux 2018.2.3

Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.14

Tableau Server 10.4 through 10.4.10

Tableau Server 10.5 through 10.5.7

Tableau Server 2018.1 through 2018.1.4

Tableau Server 2018.2 through 2018.2.1

Tableau Server on Linux 10.5 through 10.5.7

Tableau Server on Linux 2018.1 through 2018.1.4

Tableau Server on Linux 2018.2 through 2018.2.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.15

Tableau Server 10.4.11

Tableau Server 10.5.8

Tableau Server 2018.1.5

Tableau Server 2018.2.2

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.2

Severity: Medium

 

Summary: A Tableau Server configured with “External SSL” enabled that receives a specially crafted HTTP request on the non-SSL port will respond with a redirect to the HTTPS port. The redirect will specify the local IP address of the host rather than the hostname.

 

Impact: An internal IP address of the Tableau Server host will be exposed. For Tableau Server instances running on the internet, this vulnerability can expose details of the internal network topology to outside users.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.14

Tableau Server 10.4 through 10.4.10

Tableau Server 10.5 through 10.5.7

Tableau Server 2018.1 through 2018.1.4

Tableau Server 2018.2 through 2018.2.1

Tableau Server 2018.3

 

Tableau Server on Linux 10.5 through 10.5.7

Tableau Server on Linux 2018.1 through 2018.1.4

Tableau Server on Linux 2018.2 through 2018.2.1

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.15

Tableau Server 10.4.11

Tableau Server 10.5.8

Tableau Server 2018.1.5

Tableau Server 2018.2.2

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.2

Severity: High

 

Summary:  The JavaScript engine that runs Dashboard Extensions in Tableau Desktop has a memory corruption issue.

 

Impact: A malicious Dashboard Extension can cause memory corruption and possibly code execution under the privileges of the user that is running Tableau Desktop.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Desktop 2018.2.0

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop 2018.2.2

Severity: High

 

Summary: The unixODBC driver is installed with Tableau Server on Linux. The unixODBC team fixed a vulnerability that affects Tableau Server. An authenticated attacker that can publish a workbook can force Tableau Server to connect to a malicious database that can trigger this vulnerability.

 

Impact: A Tableau Server on Linux instance that connects to a malicious database may execute arbitrary code or crash.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Linux 10.5.0 through 10.5.7

Tableau Server on Linux 2018.1.0 through 2018.1.4

Tableau Server on Linux 2018.2.0

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 10.5.8

Tableau Server on Linux 2018.1.5

Tableau Server on Linux 2018.2.1

 

Appendix: Database drivers that use unixODBC as of 9/27/2018

Amazon Hive

Amazon Impala

Amazon RedShift

Cloudera Hiva

Cloudera Impala

EssBase

ExaSolution

HortonWorks Hiva

IBM DB2

MapR Drill

MySQL

Oracle

PostgreSQL

SAP Hana

Simba presto

Simba Spark

Snowflake

SQL Server

Teradata

Vertica

Severity: Medium

 

Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.

 

Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1

Severity: Medium

 

Summary: Changing the log level to "debug" exposes datasource credentials in plaintext in the application logs. The log files are stored in an access-controlled location. On Tableau Desktop, access to Tableau application logs is limited to the current user. On Tableau Server, application logs are stored with permission that is restricted to the local administrator.

 

By default, the log level is set to "info".

 

Impact: An attacker with access to the application logs can learn the datasource credentials.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Desktop: 2018.1 through 2018.1.2

Tableau Server on Windows: 2018.1 through 2018.1.2

Tableau Server on Linux: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop: 2018.1.3

Tableau Server on Windows: 2018.1.3

Tableau Server on Linux: 2018.1.3

Severity: Informational

 

Summary: When connecting to a datasource using Web Authoring in Tableau Server and Tableau Online, the “Require SSL” checkbox is not persisted when the workbook is saved. If the datasource has SSL and non-SSL connections enabled, the workbook will connect to the datasource without using SSL.

 

On Tableau Desktop, the “Require SSL” checkbox is persisted to the workbook and operates as intended when the workbook is opened in Desktop and when it is published to Tableau Server or Tableau Online.

 

Impact: Workbooks that are intended to connect to a datasource over SSL do not use SSL and instead connect over plaintext.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

Severity: Medium

 

Summary: The tabcmd utility logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to Tableau Server the value is written to the log in plaintext.

 

Impact: Malicious users with access to the tabcmd logs can access passwords that are used for authenticating to Tableau Server.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.24

Tableau Server: 9.3 through 9.3.22

Tableau Server: 10.0 through 10.0.18

Tableau Server: 10.1 through 10.1.17

Tableau Server: 10.2 through 10.2.13

Tableau Server: 10.3 through 10.3.11

Tableau Server: 10.4 through 10.4.7

Tableau Server on Windows: 10.5 through 10.5.4

Tableau Server on Linux: 10.5 through 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.25

Tableau Server: 9.3.23

Tableau Server: 10.0.19

Tableau Server: 10.1.18

Tableau Server: 10.2.14

Tableau Server: 10.3.12

Tableau Server: 10.4.8

Tableau Server on Windows: 10.5.5

Tableau Server on Linux: 10.5.5

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

Severity: High

 

Summary: Tableau Server installs and uses the Java JRE. The April 2018 updates to the Java JRE contained an unspecified high severity issue (CVE-2018-2783) that may present a risk to Tableau Server.

 

Impact: From http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA :

(The vulnerability) applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.24

Tableau Server: 9.3 through 9.3.22

Tableau Server: 10.0 through 10.0.18

Tableau Server: 10.1 through 10.1.17

Tableau Server: 10.2 through 10.2.13

Tableau Server: 10.3 through 10.3.11

Tableau Server: 10.4 through 10.4.7

Tableau Server on Windows: 10.5 through 10.5.4

Tableau Server on Linux: 10.5 through 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version, which includes an updated version of the Java JRE:

Tableau Server: 9.2.25

Tableau Server: 9.3.23

Tableau Server: 10.0.19

Tableau Server: 10.1.18

Tableau Server: 10.2.14

Tableau Server: 10.3.12

Tableau Server: 10.4.8

Tableau Server on Windows: 10.5.5

Tableau Server on Linux: 10.5.5

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

 

More information: NIST CVE-2018-2783

Severity: Medium

 

Summary: Tableau Services Manager (TSM) CLI logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to TSM, the value is written to the log in plaintext.

The TSM CLI component is included Tableau Server on Linux.  Tableau Server on Windows is not affected by this vulnerability.

 

Impact: Malicious users with access to the TSM CLI logs can access passwords that are used for authenticating Tableau Server Manager.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server for Linux 10.5 (through 10.5.4)

Tableau Server on Linux 2018.1 (through 2018.1.1)

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 10.5.5

Tableau Server on Linux 2018.1.2

 

Acknowledgements: This issue was reported to Tableau by Paul Grimshaw (Totally Techy)

Severity: Medium

 

Summary: The authentication mechanism on the internal REST service that is used by Tableau Prep can be bypassed. The REST service runs only while Tableau Prep is being used. Since the REST service only listens on localhost, an attacker would have to have access to execute code on the host to exploit this vulnerability. In the remote case, a user would have to visit a malicious website that exploits the vulnerability.

 

Impact: An attacker that can make calls to the REST service can read data from the datasources that Tableau Prep is connected to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep through 2018.1 through 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep 2018.1.2 or later

Severity:  Critical

 

Summary: Some versions of Tableau Server contain a vulnerability that allows a malicious user with publishing privileges to publish a workbook that runs malicious code. The vulnerability allows the code to run with the security privileges of the Tableau Server service account ("Run As User" account on Windows and the "tableau" system user on Linux). Deployments that allow untrusted publishers or use sites to enforce security policies are at highest risk from this vulnerability.

 

Tableau Desktop is also vulnerable, which can be exploited when a user opens a maliciously crafted workbook. 

 

Tableau Online and the Tableau Public community platform are not affected by this vulnerability.

 

Impact:  Remote code execution that could impact the confidentiality, integrity, and availability of Tableau Server.  This vulnerability could allow a malicious user hosted on one site of a Tableau Server instance to compromise another site that is hosted on the same computer.

 

On Tableau Desktop, the vulnerability could result in the execution of malicious code that could impact confidentiality, integrity, and availability of the computer running Tableau Desktop. In the Desktop scenario, the code runs in the security context of the user who opens the compromised workbook.

 

Vulnerable Versions: The following versions of Tableau Server and Tableau Desktop (including Tableau Desktop Public Edition and Tableau Reader) are vulnerable:

Tableau Server on Linux through 10.5.3
Tableau Server on Linux through 2018.1.0


Tableau Server on Windows through 9.2.23
Tableau Server on Windows through 9.3.21
Tableau Server on Windows through 10.0.17
Tableau Server on Windows through 10.1.16
Tableau Server on Windows through 10.2.12
Tableau Server on Windows through 10.3.10

 

Tableau Desktop through 9.2.23
Tableau Desktop through 9.3.21
Tableau Desktop through 10.0.17
Tableau Desktop through 10.1.16
Tableau Desktop through 10.2.12
Tableau Desktop through 10.3.10

 

The following versions are not vulnerable:

  • Tableau Desktop 10.4, 10.5 and 2018.1 on Windows or Mac.
  • Tableau Server on Windows 10.4.x
  • Tableau Server on Windows 10.5.x
  • Tableau Server on Windows 2018.1

 

Resolution: The issue can be fixed by upgrading to the following version:

 

Tableau Server on Windows - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11

 

Tableau Server on Linux - 2018.1.1, 10.5.4

 

Tableau Desktop - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11

Severity: Medium

 

Summary: Tableau Services Manager (TSM) passes a sensitive value via the command line during node initialization.

 

TSM is included with Tableau Server on Linux.  Tableau Server on Windows in not affected by this vulnerability.

 

Impact: Malicious users with access to the host and the ability to view the process list, could view process attributes, including the TSM administrator password.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Linux 2018.1 (through 2018.1.0).

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 2018.1.1