Skip navigation
2016

Severity: Critical

 

Summary: Heartbleed is a critical security vulnerability in the OpenSSL library (version 1.0.1). OpenSSL is an open source software that is used by many websites and software products, including some Tableau products.

 

Impact: The Heartbleed vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read, which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s Desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Server and Tableau Desktop products that communicate with other servers. For example a dashboard with a web page component embedded in it may access a remote SSL-enabled server.

 

Vulnerable Versions: Tableau Desktop 8.1.0 (through 8.1.5), 8.2.0 Beta, Tableau Server 8.1.0 (through 8.1.5), 8.2.0 Beta, Tableau Reader 8.1.0 (through 8.1.5)

 

Resolution: Upgrade Tableau to the following Versions:

Tableau Desktop: 8.1.6

Tableau Desktop: 8.2.0

Tableau Server: 8.1.6

Tableau Server: 8.2.0

Tableau Public: 8.1.6

 

 

For more information and questions see Heartbleed information document: Heartbleed Vulnerability | Tableau Software

Summary: If you or your organization uses Tableau Server 8.2 or earlier, you may be affected by the CVE-2014-3566 (POODLE) security vulnerability. This vulnerability can result in insecure or compromised transactions over SSLv3.

 

Follow the directions in the Knowledge base article below to disable SSLv3 in older versions.

 

SSL Vulnerability CVE-2014-3566 (POODLE) | Tableau Software

 

NVD Announcement for: CVE-2014-3566

Summary: Microsoft announced a critical vulnerability in its Internet Explorer product. This vulnerability allows remote code execution and denial of service attacks.

This issue can affect you if your Tableau workbook contains a dashboard on which you included either of the following:

  • A web part that targets a malicious site.
  • A URL action that directs to a malicious site.

 

Install the latest Internet Explorer security update from Microsoft, which fixes this vulnerability.

 

Knowledge base article below contains the windows updates considered most critical and is updated as issues are flagged to the team.

 

Resolving an Internet Explorer Critical Vulnerability that Affects Tableau | Tableau Software

Severity: Low-Medium

 

Summary: Under certain conditions a user who accesses a workbook as a Guest user can view data as the publisher of the data.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.2)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.3

 

Work around: In the meantime, disable Guest access.

 

Knowledgebase Article: Security Advisory: Guest Users Can See Data As the Publisher User | Tableau Software

Severity: High

 

Summary: A user can send a specially crafted request to Tableau Server that allows the user to impersonate a different user.

 

Vulnerable Versions: Tableau Server 8.1 (through 8.1.20), 8.2 (through 8.2.12), 8.3 (through 8.3.7), 9.0 (through 9.0.3)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.1.21

Tableau Server 8.2.13

Tableau Server 8.3.8

Tableau Server 9.0.4

 

Knowledgebase Article: Security Advisory: Users Can Be Impersonated | Tableau Software

Severity: Medium

 

Summary: Under certain conditions, a workbook viewed on Tableau Server shows data from a published data source on another site.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.2)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.3

Knowledgebase Article: Security Advisory: Workbook Shows Data From Different Site | Tableau Software

Summary: On March 3, 2015, a SSL/TLS security vulnerability nicknamed FREAK was discovered. FREAK allows attackers to intercept and potentially decrypt or alter HTTPS communication from vulnerable systems.

 

Tableau products have been upgraded to use the unaffected version of OpenSSL.   See the Knowledge base article below for more details.

 

NVD Announcement for: SSL CVE-2015-0204 | Tableau Software