Severity: High

 

Summary: Tableau Desktop on the Mac includes MySQL driver. The MySQL driver, version 5.3.4 and earlier contains an outdated, vulnerable version of OpenSSL library (1.0.1g). The following Tableau connectors use the MySQL driver: Amazon Aurora, Google Cloud

SQL, MemSQL, MongoDB BI Connector and MySQL.

 

Impact: Users running Tableau Desktop on the Mac who create connections with MySQL over SSL are exposed to the vulnerability. The vulnerability may result in denial of service or remote code execution.

 

Vulnerable Versions: Tableau Desktop on the Mac 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2), 10.3.0.

The MySQL driver was not included on versions prior to 9.3.15. However, the driver may have been installed on earlier versions of Tableau Desktop by users who downloaded the MySQL driver directly from Oracle.

 

Resolution: As of the new releases listed here, Tableau no longer installs the MySQL driver in the Tableau Desktop on the Mac.

Tableau Desktop on the Mac: 9.3.16

Tableau Desktop on the Mac: 10.0.11

Tableau Desktop on the Mac: 10.1.9

Tableau Desktop on the Mac: 10.2.3

Tableau Desktop on the Mac: 10.3.1

 

We recommend that customers remove the MySQL driver until an updated version is provided by Oracle. For more information, see Driver Download.

 

Customers running Mac Sierra or later can install a current version of MySQL driver, which no longer uses the OpenSSL library. More Information: The OpenSSL vulnerability is documented on the NIST website at CVE-2016-2108 Detail.