Skip navigation

Severity: High

 

Summary:  An attacker can specially craft a Tableau Workbook to execute code on a victim's machine.  The attacker must convince the user to open the workbook to complete the attack. 

 

Vulnerable Versions: Tableau Desktop, Reader and Public 8.2.0 (through 8.2.19), 8.3.0 (through 8.3.14), 9.0.0 (through 9.0.16), 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.11), 9.3.0 (through 9.3.6), 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.2.20

Tableau Server 8.3.15

Tableau Server 9.0.17

Tableau Server 9.1.13

Tableau Server 9.2.11

Tableau Server 9.3.7

Tableau Server 10.0.1

 

Workaround:  None

 

Acknowledgement:  This issue was found internally

Severity: Medium

 

Summary:  An authenticated attacker with low privileges (that is, even a user who is not an administrator) can send a specially crafted message to Tableau Server that makes Tableau Server unresponsive for an extended period of time.

 

 

Vulnerable Versions: Tableau Server 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.0.1

 

Workaround:  None

 

Acknowledgement:  This issue was found internally

Severity:  Medium

 

Summary: Under certain conditions, information prepared for one user might be displayed to another user. For this problem to occur, both users must be looking at the same view, the view must be connected to a data source that returns different attribute values for each user, and the view must not have any user filters or user-specific calculations.

 

Vulnerable Versions: Tableau Server 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.10), 9.3.0 (through 9.3.5), 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.13

Tableau Server 9.2.11

Tableau Server 9.3.6

Tableau Server 10.0.1

 

Workaround: Customers whose deployment meets the conditions of the vulnerability should upgrade to a non-vulnerable version as soon as possible.

 

 

As a temporary measure, you can use either of the following mitigations:

  • Use the following command to disable the model cache on Tableau Server:

tabadmin set vizqlserver.modelcachesize 0

 

This change might impact the performance of Tableau Server, so we recommend reverting this setting after installing the Tableau upgrade.

 

Acknowledgement:  This vulnerability was reported to Tableau by a customer

Severity: Medium

 

Summary: An authenticated attacker with the ability to upload or edit a workbook might be able to trigger a cross-site scripting (XSS) vulnerability in Tableau Server. 

 

Vulnerable Versions: Tableau Server 8.2.0 (through 8.2.19), 8.3.0 (through 8.3.14), 9.0.0 (through 9.0.16), 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.11), 9.3.0 (through 9.3.6), 10.0.0

 

Workaround:  None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.2.20

Tableau Server 8.3.15

Tableau Server 9.0.17

Tableau Server 9.1.13

Tableau Server 9.2.12

Tableau Server 9.3.7

Tableau Server 10.0.1

 

Acknowledgement:  This issue was found internally

Summary:  A team of security researchers recently disclosed an issue that has been named HTTPoxy.  Tableau has investigated the issue, and we believe that Tableau Server is not vulnerable. As a precaution, we will be updating the Apache configuration in the September maintenance releases to further assure protection from CVE-2016-5387.

 

NVD Announcement for NVD - CVE-2016-5387

 

Acknowledgement:  For more information on HTTPoxy, see https://httpoxy.org