Skip navigation
2017

Severity: High

 

Summary: An authenticated remote attacker can send a specially crafted message that can result in the disclosure of information from Tableau Server.

 

Impact: Exploits of the authenticated API call can result in the disclosure of information that the Tableau Server Run As User service account has access to.

 

Vulnerable Versions: 9.3.0 (through 9.3.15), 10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Workarounds: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

Severity: High

 

Summary: Tableau Desktop on the Mac includes MySQL driver. The MySQL driver, version 5.3.4 and earlier contains an outdated, vulnerable version of OpenSSL library (1.0.1g). The following Tableau connectors use the MySQL driver: Amazon Aurora, Google Cloud

SQL, MemSQL, MongoDB BI Connector and MySQL.

 

Impact: Users running Tableau Desktop on the Mac who create connections with MySQL over SSL are exposed to the vulnerability. The vulnerability may result in denial of service or remote code execution.

 

Vulnerable Versions: Tableau Desktop on the Mac 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2), 10.3.0.

The MySQL driver was not included on versions prior to 9.3.15. However, the driver may have been installed on earlier versions of Tableau Desktop by users who downloaded the MySQL driver directly from Oracle.

 

Resolution: As of the new releases listed here, Tableau no longer installs the MySQL driver in the Tableau Desktop on the Mac.

Tableau Desktop on the Mac: 9.3.16

Tableau Desktop on the Mac: 10.0.11

Tableau Desktop on the Mac: 10.1.9

Tableau Desktop on the Mac: 10.2.3

Tableau Desktop on the Mac: 10.3.1

 

We recommend that customers remove the MySQL driver until an updated version is provided by Oracle. For more information, see Driver Download.

 

Customers running Mac Sierra or later can install a current version of MySQL driver, which no longer uses the OpenSSL library. More Information: The OpenSSL vulnerability is documented on the NIST website at CVE-2016-2108 Detail.

Severity: High

 

Summary: Tableau Server and Tableau Desktop include an outdated version of libtiff, a third-party, vulnerable dynamic link library.

 

Impact: Exploits of the outdated version rely on buffer overflows and other vulnerabilities which could result in denial-of-service attacks and remote code execution.

 

Vulnerable Versions: 8.3 (through 8.3.19), 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server and Tableau Desktop versions:

Tableau Server, Tableau Desktop: 8.3.20

Tableau Server, Tableau Desktop: 9.0.23

Tableau Server, Tableau Desktop: 9.1.20

Tableau Server, Tableau Desktop: 9.2.19

Tableau Server, Tableau Desktop: 9.3.16

Tableau Server, Tableau Desktop: 10.0.11

Tableau Server, Tableau Desktop: 10.1.9

Tableau Server, Tableau Desktop: 10.2.3

 

More Information: the following vulnerabilities are resolved with the latest upgrade:

CVE-2016-9535

CVE-2015-7554

CVE-2016-8331

CVE-2016-6223

CVE-2016-9448

CVE-2016-5323

CVE-2016-9297

CVE-2016-5315

CVE-2016-5317

CVE-2016-5321

CVE-2016-5318

CVE-2016-9273

CVE-2015-8683

CVE-2015-8665

CVE-2015-1547

CVE-2014-9655 See https://cve.mitre.org/index.html for an index of CVEs.

Severity: Medium

 

Summary: Tableau Server includes an unauthenticated API that generates a non-trivial amount of work on the server.

 

Impact: Exploits of the unauthenticated API call could result in a slow or unresponsive Tableau Server.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.0.23

Tableau Server: 9.1.20

Tableau Server: 9.2.19

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

[Important] ADV-2017-013: Unauthenticated privilege escalation when Server SAML is configured on Tableau Server

 

Severity: Critical

 

Summary:

Tableau Server is vulnerable to an unauthenticated privilege escalation under the following conditions:

      • Installations that have Server SAML and Local Authentication configured in tandem.

The following configurations are NOT vulnerable:

      • Installations that only use Site SAML.
      • User accounts that have been configured with an explicit password to enable REST API or tabcmd access.
      • Organizations that synchronize user accounts from Active Directory.

For guidance determining if your organization is running a vulnerable configuration, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Impact: An unauthenticated attacker can escalate their privilege to access resources with the permissions of other Tableau Server users.

 

Vulnerable Versions:

10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

 

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

 

Mitigation: If your Tableau Server instance is using one of the vulnerable configurations, and you are unable to upgrade to a fixed version now, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Acknowledgement: Greg Harris of the Fitbit Security Team