Highest overall severity: High

 

Summary:

Workbooks connected to published data sources that leverage user functions may not properly filter data the first time a view is loaded due to a caching issue.

 

Impact:

A user with access to a published workbook or data source can see unfiltered data for another user resulting in information disclosure within that same workbook. A malicious user cannot directly force this to happen.

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/CR:H - 7.5 High

Product specific notes:

This vulnerability affects the user filter functionality of Tableau server.

 

If you have already installed Tableau Server 2019.1.0 and plan to upgrade to 2019.1.1, you will need to take the following steps before you upgrade to ensure your cache is properly cleared:

tsm stop

tsm maintenance cleanup -r

install the new version 2019.1.1 and initiate the upgrade script to complete the upgrade.

 

If you have already installed Tableau Server 2019.1.0 and do not plan to upgrade to 2019.1.1, you will need to take the following steps to ensure your cache is properly cleared and the logical query cache is disabled:

tsm stop

tsm maintenance cleanup -r

tsm configuration set -k features.LogicalQueryCache -v false

tsm pending-changes apply

tsm start

 

For Tableau Mobile Views

If a Tableau Server version 2019.1.0 has been installed with offline favorites enabled, then Tableau Mobile clients connecting to that server may display incorrect data even if you have upgraded Tableau Server, or have already applied the mitigations referenced in this bulletin. We recommend that you run the removeStaleSheet script to determine if there are images that need to be regenerated. In the case where images need to be regenerated, the script will prompt you to force Tableau Server to regenerate the Tableau Mobile offline views.

 

To run the removeStaleSheet script:

 

1. Download the WINDOWSremoveStaleSheet or LINUXremoveStaleSheet script attached to this post and save it to the Tableau Server machine.

2. Open a command line on the Tableau Server machine.

3. Log into TSM.

4. Run the the WINDOWSremoveStaleSheet or LINUXremoveStaleSheet script.

 

 

Vulnerable versions:

  • Tableau Server on Windows 2019.1.0

 

  • Tableau Server on Linux 2019.1.0

 

Resolved in versions:

  • Tableau Server on Windows 2019.1.1

  • Tableau Server on Linux 2019.1.1

 

Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes: Not affected.