Skip navigation
2017

[Informational] INF-2017-005: Extract Refreshes can unhide columns

 

Summary: If you have any extracts on Tableau Server with hidden columns, when you refresh, the columns become unhidden.

 

This can lead to slower extract refreshes, larger extracts, slower viz performance, and making previously hidden columns visible to users.

 

See issue 670693 on https://www.tableau.com/support/known-issues.

 

Versions Affected : Tableau Server 10.2.3, Tableau Desktop 10.2.3

[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server

 

Severity: Critical

 

Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.

 

The vulnerability is exploitable when the following conditions are true:

  • Tableau Server is configured for Mutual SSL authentication (authentication with client certificates)
  • The insecure HTTP port (default is port 80) is accessible to an attacker

 

Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.

 

Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)

 

Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.20

Tableau Server 9.2.19

Tableau Server 9.3.17

Tableau Server 10.0.12

Tableau Server 10.1.10

Tableau Server 10.2.4

Tableau Server 10.3.2

[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site

 

Severity: Medium

 

Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.

 

Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.

 

Data from the extract or target data source are not disclosed.

 

Vulnerable Versions: 10.3.0 (through 10.3.1)

 

Mitigation: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2