[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server


Severity: Critical


Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.


The vulnerability is exploitable when the following conditions are true:

  • Tableau Server is configured for Mutual SSL authentication (authentication with client certificates)
  • The insecure HTTP port (default is port 80) is accessible to an attacker


Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.


Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)


Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.


Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.20

Tableau Server 9.2.19

Tableau Server 9.3.17

Tableau Server 10.0.12

Tableau Server 10.1.10

Tableau Server 10.2.4

Tableau Server 10.3.2