Severity: High

 

Summary: Tableau Server ships with a version of the Java Runtime Environment (JRE) that contains a vulnerability in Java Management Extensions (JMX).  By default, JMX is disabled on Tableau Server, and default installations are not exposed to this vulnerability.  However, customers who have enabled JMX to use monitoring tools such as TabMon or TabJolt might be exposed to this vulnerability

 

Vulnerable Versions: All current versions of Tableau Server are vulnerable.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.19

Tableau Server 9.1.15

Tableau Server 9.2.14

Tableau Server 9.3.09

Tableau Server 10.0.3


Workaround:  JMX is disabled by default.  If JMX has been enabled, run the following tabadmin commands to disable JMX:

tabadmin stop

tabadmin set service.jmx_enabled false

tabadmin configure

tabadmin start

 

Customers should enable JMX ports only for a specific use case (for example, at the request of Tableau Support). Even then, the ports should be accessible only to trusted users. For details, see Enable JMX Ports in the Tableau Server help.

 

Acknowledgement:  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3427