Skip navigation
2017

Severity: High

 

Summary: Tableau Desktop and Tableau server uses a version of FlexNet Publisher that contains a vulnerability. The vulnerability can be exploited by malicious, local users on Windows systems.

 

Impact: Attackers may gain elevated privileges on the computer running Tableau Desktop for Windows or on Tableau Server.

Vulnerable Versions: Tableau Desktop for Windows and Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2) and 10.4.0.

 

Mitigation: None.

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server and Tableau Desktop 9.0.24

Tableau Server and Tableau Desktop 9.1.21

Tableau Server and Tableau Desktop 9.2.20

Tableau Server and Tableau Desktop 9.3.18

Tableau Server and Tableau Desktop 10.0.13

Tableau Server and Tableau Desktop 10.1.11

Tableau Server and Tableau Desktop 10.2.5

Tableau Server and Tableau Desktop 10.3.3

Tableau Server and Tableau Desktop 10.4.1

 

More information: https://nvd.nist.gov/vuln/detail/CVE-2016-10395

 

Updates:

 

9/20/17 - corrected Resolution to include Tableau Desktop

9/25/17 - added 10.4 to the Vulnerable Versions List

10/18/17 - updated Resolution to include versions 9.0-9.3

11/9/17 - updated Resolution to include version 10.4

Severity: Medium

 

Summary: The latest release of Tableau Server includes an updated version of Apache HTTPD (2.4.26). Apache HTTPD 2.4.26 fixes five vulnerabilities. Specifically, Apache HTTPD 2.4.26 fixes a MIME overread vulnerability (CVE-2017-7679) that exposes the potential to disclose sensitive information.

 

Impact: A malicious exploit of the MIME overread vulnerability could result in sensitive information disclosure.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 9.0.24

Tableau Server 9.1.21

Tableau Server 9.2.20

Tableau Server 9.3.18

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

 

More information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679

 

Updates:

10/18/2017 - updated resolution to include fixes in 9.0 through 9.3

Severity: Medium

 

Summary: Tableau Server writes some sensitive information to the log files in plain text.

 

Impact: Malicious users with access to Tableau logs may be able to access passwords to data sources.

 

Vulnerable Versions: 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following version:

 

Tableau Server 10.3.3

Severity: High

 

Summary: A vulnerable version of Tableau Server configured for Site SAML contains a flaw that can be exploited by an attacker to log into a site that they are not a member of. The attacker must have site administrator privileges on a site on the same server.

Impact: An attacker could log into a site they do not have access to.

 

Vulnerable Versions: 10.0(through 10.0.12), 10.1 (through 10.1.10), 10.2 (through 10.2.4), 10.3 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

Summary: Tableau Software has confirmed that no version of Tableau Server currently supported is impacted by CVE-2017-9805. Tableau Software has also confirmed that Tableau Online is not impacted by CVE-2017-9805.

 

Tableau Server versions 10.0.0 – 10.0.10 and 10.1.0 – 10.1.8 did ship with the Struts components but were not used in a way that is vulnerable and have been removed.