Skip navigation
2017

Summary:

Tableau Online includes the feature "Admin Views," which allows authenticated site administrators to view usage, traffic, and other metadata on a given site.

 

On 23 May 2017, from 13:05 PST to 20:00 PST, site administrators could view metadata from other sites hosted on the same Tableau Online pod including: usernames (displayed as email addresses), workbook names, data source names, and view titles. Tableau Online usage statistics indicate that the potential metadata breach was limited to 36 people who logged in and used Admin Views during the outage period.

 

Data contained in the workbooks was not exposed.

 

Vulnerable Version: Tableau Online, pods 10AY and US-East-1

 

Resolution: As of 23 May 2017 20:00 PST the issue has been resolved.

No user action is required.

Summary: Tableau engineering is aware and responding to the recent WannaCrypt/WannaCry ransomware malware. Tableau has deployed the necessary patches to secure the integrity of our systems and information and maintains up-to-date anti-malware software. Tableau encourages its customers to review patching in their environments to ensure MS17-010 is applied to all Windows systems and all systems have up to date anti-malware signatures.

 

Microsoft MS17-010 Critical Bulletin: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

SANS Internet Storm Center Summary: https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

Severity: Critical

 

Summary: Unauthenticated users can craft requests that will execute arbitrary SQL statements in the repository (Postgres) database on Tableau Server.

 

Impact: This vulnerability poses a potential for remote attackers to gain administrative access to Tableau Server.

 

Vulnerable Versions: Tableau Server 9.2 (through 9.2.17), 9.3 (through 9.3.14), 10.0 (through 10.0.9), 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Mitigation: To mitigate this vulnerability, run the following tabadmin commands:

tabadmin stop

tabadmin set vizqlserver.httprequests.logging.threads 0

tabadmin configure

tabadmin start

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.2.18

Tableau Server: 9.3.15

Tableau Server: 10.0.10

Tableau Server: 10.1.8

Tableau Server: 10.2.2

Severity: Medium

 

Summary: Tableau Server writes some sensitive information to the log files in plain text.

 

Impact: Malicious users with access to Tableau logs can access passwords to data sources or secrets used to encrypt private keys used in SSL/TLS communication.

 

Vulnerable Version: Tableau Server 10.2 (through 10.2.1).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server version:

 

Tableau Server: 10.2.2

Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions: Tableau Server 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.1.8

Tableau Server: 10.2.2

Summary: The Tableau Software security engineering team has confirmed that Tableau Online and Tableau Public servers are not vulnerable to the recently disclosed Intel AMT privilege escalation vulnerability.

 

NVD Announcement for CVE-2017-5689: https://nvd.nist.gov/vuln/detail/CVE-2017-5689