Highest overall severity: High

 

Summary:

The psqlODBC driver that is included with Tableau products contains a heap-based buffer overflow. We recommend that all Tableau users upgrade to psqlODBC 9.6.5.

 

Impact:

An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Mitigation:

Windows: For Tableau products running on Windows the latest PostgreSQL ODBC driver should be installed.
Mac: For Tableau products running on Mac the latest PostgreSQL ODBC driver should be installed.
Linux: For Tableau products running on Linux follow these directions:


On CentOS and RHEL:

Download the .rpm file.
To install the driver, run the following command:
    sudo yum install tableau-postgresql-odbc-09.06.0500-1.x86_64.rpm

On Ubuntu:

Download the .deb file.
To install the driver, run the following command:
    sudo gdebi tableau-postgresql-odbc_09.06.0500-2_amd64.deb

 

Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep Builder | Tableau Reader | Tableau Mobile | Tableau Public Desktop
Versions that are no longer supported are not tested and may be vulnerable.

 

Tableau Server

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
        An authenticated user who has permissions to publish a workbook to Tableau Server can trigger this vulnerability.

 

Tableau Server on Linux does not include the PostgreSQL ODBC driver by default, and is therefore not listed below. However, the PostgreSQL driver is required for Admin View functionality and is often installed by the administrator as part of the deployment process. If the driver has been installed then Tableau Server on Linux is vulnerable.

 

Vulnerable versions:

  • Tableau Server on Windows 10.0 through 10.0.22

Support for Tableau Sever on Windows 10.0 ended on Feb, 19, 2019 (Supported Versions)

No new releases of 10.0 are planned. It is recommended to apply the above mitigation.

 

  • Tableau Server on Windows 10.1 through 10.1.22
  • Tableau Server on Windows 10.2 through 10.2.18
  • Tableau Server on Windows 10.3 through 10.3.18
  • Tableau Server on Windows 10.4 through 10.4.14
  • Tableau Server on Windows 10.5 through 10.5.13
  • Tableau Server on Windows 2018.1 through 2018.1.10
  • Tableau Server on Windows 2018.2 through 2018.2.7
  • Tableau Server on Windows 2018.3 through 2018.3.4
  • Tableau Server on Windows 2019.1 through 2019.1.1

 

Resolved versions:

 

  • Tableau Server on Windows 10.1.23
  • Tableau Server on Windows 10.2.19
  • Tableau Server on Windows 10.3.19
  • Tableau Server on Windows 10.4.15
  • Tableau Server on Windows 10.5.14
  • Tableau Server on Windows 2018.1.11
  • Tableau Server on Windows 2018.2.8
  • Tableau Server on Windows 2018.3.5
  • Tableau Server on Windows 2019.1.2

 

Tableau Desktop (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:

Opening a malicious workbook can trigger this vulnerability.

 

Tableau Desktop on Windows includes the 32-bit version of the psqlODBC driver. It is recommended that this driver be uninstalled. To uninstall the 32-bit version of the driver use Add/Remove Programs and uninstall 'psqlODBC'.

 

Vulnerable versions:

  • Tableau Desktop on Windows 10.0 through 10.0.21
  • Tableau Desktop on Windows 10.1 through 10.1.21
  • Tableau Desktop on Windows 10.2 through 10.2.17
  • Tableau Desktop on Windows 10.3 through 10.3.17
  • Tableau Desktop on Windows 10.4 through 10.4.13
  • Tableau Desktop on Windows 10.5 through 10.5.12
  • Tableau Desktop on Windows 2018.1 through 2018.1.9
  • Tableau Desktop on Windows 2018.2 through 2018.2.6
  • Tableau Desktop on Windows 2018.3 through 2018.3.3
  • Tableau Desktop on Windows 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

  • Tableau Desktop on Mac 10.2 through 10.2.17
  • Tableau Desktop on Mac 10.3 through 10.3.17
  • Tableau Desktop on Mac 10.4 through 10.4.13
  • Tableau Desktop on Mac 10.5 through 10.5.12
  • Tableau Desktop on Mac 2018.1 through 2018.1.9
  • Tableau Desktop on Mac 2018.2 through 2018.2.6
  • Tableau Desktop on Mac 2018.3 through 2018.3.3
  • Tableau Desktop on Mac 2019.1 through 2019.1.0 (2019.1.1 was a Tableau Server only release)

 

Resolved in versions:

  • Tableau Desktop on Windows 10.0.22
  • Tableau Desktop on Windows 10.1.22
  • Tableau Desktop on Windows 10.2.18
  • Tableau Desktop on Windows 10.3.18
  • Tableau Desktop on Windows 10.4.14
  • Tableau Desktop on Windows 10.5.13
  • Tableau Desktop on Windows 2018.1.10
  • Tableau Desktop on Windows 2018.2.7
  • Tableau Desktop on Windows 2018.3.4
  • Tableau Desktop on Windows 2019.1.2

 

  • Tableau Desktop on Mac 10.2.18
  • Tableau Desktop on Mac 10.3.18
  • Tableau Desktop on Mac 10.4.14
  • Tableau Desktop on Mac 10.5.13
  • Tableau Desktop on Mac 2018.1.10
  • Tableau Desktop on Mac 2018.2.7
  • Tableau Desktop on Mac 2018.3.4
  • Tableau Desktop on Mac 2019.1.2

 

Tableau Bridge (Back to top of page)

Severity: High CVSS3 Score: AV:N AC:L PR:L UI:N S:U C:H I:H A:H - 8.8 High
Product specific notes:
      Opening a malicious data source can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Bridge 2018.2 through 20191.19.0204.1456

 

Resolved in versions:

  • Tableau Bridge 20191.19.0311.1807

 

Tableau Prep Builder (Back to top of page)

Severity: High CVSS3 Score: AV:L AC:L PR:N UI:R S:U C:H I:H A:H - 7.8 High
Product specific notes:
      Opening a malicious flow can trigger this vulnerability.

 

Vulnerable versions:

  • Tableau Prep Builder 2018.1.1 through 2019.1.2

 

Resolved in versions:

  • Tableau Prep Builder 2019.1.3

 

Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.

 

Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product specific notes:

Not affected.