Skip navigation
2018

Severity: Informational

 

Summary: When connecting to a datasource using Web Authoring in Tableau Server and Tableau Online, the “Require SSL” checkbox is not persisted when the workbook is saved. If the datasource has SSL and non-SSL connections enabled, the workbook will connect to the datasource without using SSL.

 

On Tableau Desktop, the “Require SSL” checkbox is persisted to the workbook and operates as intended when the workbook is opened in Desktop and when it is published to Tableau Server or Tableau Online.

 

Impact: Workbooks that are intended to connect to a datasource over SSL do not use SSL and instead connect over plaintext.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

Severity: Medium

 

Summary: The tabcmd utility logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to Tableau Server the value is written to the log in plaintext.

 

Impact: Malicious users with access to the tabcmd logs can access passwords that are used for authenticating to Tableau Server.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.24

Tableau Server: 9.3 through 9.3.22

Tableau Server: 10.0 through 10.0.18

Tableau Server: 10.1 through 10.1.17

Tableau Server: 10.2 through 10.2.13

Tableau Server: 10.3 through 10.3.11

Tableau Server: 10.4 through 10.4.7

Tableau Server on Windows: 10.5 through 10.5.4

Tableau Server on Linux: 10.5 through 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.25

Tableau Server: 9.3.23

Tableau Server: 10.0.19

Tableau Server: 10.1.18

Tableau Server: 10.2.14

Tableau Server: 10.3.12

Tableau Server: 10.4.8

Tableau Server on Windows: 10.5.5

Tableau Server on Linux: 10.5.5

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

Severity: High

 

Summary: Tableau Server installs and uses the Java JRE. The April 2018 updates to the Java JRE contained an unspecified high severity issue (CVE-2018-2783) that may present a risk to Tableau Server.

 

Impact: From http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA :

(The vulnerability) applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.24

Tableau Server: 9.3 through 9.3.22

Tableau Server: 10.0 through 10.0.18

Tableau Server: 10.1 through 10.1.17

Tableau Server: 10.2 through 10.2.13

Tableau Server: 10.3 through 10.3.11

Tableau Server: 10.4 through 10.4.7

Tableau Server on Windows: 10.5 through 10.5.4

Tableau Server on Linux: 10.5 through 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version, which includes an updated version of the Java JRE:

Tableau Server: 9.2.25

Tableau Server: 9.3.23

Tableau Server: 10.0.19

Tableau Server: 10.1.18

Tableau Server: 10.2.14

Tableau Server: 10.3.12

Tableau Server: 10.4.8

Tableau Server on Windows: 10.5.5

Tableau Server on Linux: 10.5.5

Tableau Server on Windows: 2018.1.2

Tableau Server on Linux: 2018.1.2

 

More information: NIST CVE-2018-2783

Severity: Medium

 

Summary: Tableau Services Manager (TSM) CLI logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to TSM, the value is written to the log in plaintext.

The TSM CLI component is included Tableau Server on Linux.  Tableau Server on Windows is not affected by this vulnerability.

 

Impact: Malicious users with access to the TSM CLI logs can access passwords that are used for authenticating Tableau Server Manager.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server for Linux 10.5 (through 10.5.4)

Tableau Server on Linux 2018.1 (through 2018.1.1)

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 10.5.5

Tableau Server on Linux 2018.1.2

 

Acknowledgements: This issue was reported to Tableau by Paul Grimshaw (Totally Techy)

Severity: Medium

 

Summary: The authentication mechanism on the internal REST service that is used by Tableau Prep can be bypassed. The REST service runs only while Tableau Prep is being used. Since the REST service only listens on localhost, an attacker would have to have access to execute code on the host to exploit this vulnerability. In the remote case, a user would have to visit a malicious website that exploits the vulnerability.

 

Impact: An attacker that can make calls to the REST service can read data from the datasources that Tableau Prep is connected to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep through 2018.1 through 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep 2018.1.2 or later