Skip navigation

Severity: Medium

 

Summary: The ziplogs command (tsm maintenance ziplogs) is used by Tableau Server administrators to package configuration information and log files to send to Tableau Support. Unneeded, but sensitive information is contained in these zip archives.

 

Impact: Running the ziplogs command on a Tableau Server that is configured with external SSL will generate an archive file that includes the private key for the external SSL certificate.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 10.5 through 10.5.9

Tableau Server on Linux 2018.1.0 through 2018.1.6

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 10.5.10

Tableau Server on Linux 2018.1.7

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: Medium

 

Summary: A malicious workbook that has a refresh job scheduled on it can cause the Backgrounder service to crash and fail to process any subsequent jobs.

 

Impact: The Backgrounder service will repeatedly crash and no new jobs will be processed.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: Medium

 

Summary: The cookie used to identify the Tableau Services Manager (TSM) Web UI session does not expire if a browser window to the web interface remains open.

 

Impact: This vulnerability increases the risk that an unattended computer where the TSM web UI is left open will host a valid session. The open valid session allows users to perform administrative actions on the Tableau Server installation.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.2.0 through 2018.2.3

Tableau Server 2018.3.0

Tableau Server on Linux 2018.2.0 through 2018.2.3

Tableau Server on Linux 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.2.4

Tableau Server 2018.3.1

Tableau Server on Linux 2018.2.4

Tableau Server on Linux 2018.3.1

Severity: High

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. Alternatively, the malicious user must convince a victim to open the affected workbook in Tableau Desktop.

 

Impact: A memory corruption error can occur. This memory corruption might result in arbitrary code execution or a crash.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server 2018.3.0

Tableau Server on Linux 2018.3.0

 

Tableau Desktop 2018.3.0

 

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server 2018.3.1

Tableau Server on Linux 2018.3.1

 

Tableau Desktop 2018.3.1