Severity: Medium

 

Summary: Tableau Server and Tableau Desktop may misinterpret part of a password as a delimiter and fail to remove the entire password when writing log statements. Tableau writes logs to access-controlled areas of the files system.

 

Impact: A password used to connect with an ODBC-based connector may result in partial password disclosure. If the password contains one or more certain special characters, Tableau will interpret the characters as delimiters. In this case, a portion of the password will be written in cleartext to the application logs. An attacker with access to these log files will have access to a portion of the password, thereby increasing the probability of a successful brute-force attack on the database.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 10.0 through 10.0.20

Tableau Server 10.1 through 10.1.19

Tableau Server 10.2 through 10.2.15

Tableau Server 10.3 through 10.3.15

Tableau Server 10.4 through 10.4.11

Tableau Server 10.5 through 10.5.8

Tableau Server 2018.1 through 2018.1.5

Tableau Server 2018.2 through 2018.2.2

Tableau Server 2018.3

 

Tableau Server on Linux 10.5 through 10.5.8

Tableau Server on Linux 2018.1 through 2018.1.5

Tableau Server on Linux 2018.2 through 2018.2.2

 

Tableau Desktop 10.0 through 10.0.20

Tableau Desktop 10.1 through 10.1.19

Tableau Desktop 10.2 through 10.2.15

Tableau Desktop 10.3 through 10.3.15

Tableau Desktop 10.4 through 10.4.11

Tableau Desktop 10.5 through 10.5.8

 

Tableau Bridge 2018.2 through 2018.2.0.18.0918.0707

 

Tableau Prep 2018.1.1 through 2018.3.1

              

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 10.0.21

Tableau Server 10.1.20

Tableau Server 10.2.16

Tableau Server 10.3.16

Tableau Server 10.4.12

Tableau Server 10.5.9

Tableau Server 2018.1.6

Tableau Server 2018.2.3

Tableau Server on Linux 10.5.9

Tableau Server on Linux 2018.1.6

Tableau Server on Linux 2018.2.3

 

Tableau Desktop 10.0.21

Tableau Desktop 10.1.20

Tableau Desktop 10.2.16

Tableau Desktop 10.3.16

Tableau Desktop 10.4.12

Tableau Desktop 10.5.9

Tableau Desktop 2018.1.6

Tableau Desktop 2018.2.3

 

Tableau Bridge 2018.3.0.18.1016.2147

 

Tableau Prep 2018.3.2