Highest overall severity: High


Summary:

Under certain circumstances, Tableau Server removes authentication on a JMX server, which may allow Remote Code Execution.


Impact:

An attacker can execute arbitrary commands on vulnerable Tableau Server if the JMX RMI port is not protected.


Mitigation:

Implement a host firewall like described in [Step 5 in Tableau server hardening guide] (https://help.tableau.com/current/server/en-us/security_harden.htm) will mitigate this vulnerability


Products and Versions: Tableau Server | Tableau Desktop | Tableau Bridge | Tableau Prep | Tableau Reader | Tableau Mobile | Tableau Public Desktop
*Versions that are no longer supported are not tested and may be vulnerable.


Tableau Server

Severity: High
CVSS3 Score: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 7.2 High
Product Specific Notes: Not affected.

Vulnerable versions:

  • Tableau Server on Linux 2019.1 through 2019.1.11
  • Tableau Server on Linux 2019.2 through 2019.2.7
  • Tableau Server on Linux 2019.3 through 2019.3.3
  • Tableau Server on Linux 2019.4 through 2019.4.1

  • Tableau Server on Windows 2019.1 through 2019.1.11
  • Tableau Server on Windows 2019.2 through 2019.2.7
  • Tableau Server on Windows 2019.3 through 2019.3.3
  • Tableau Server on Windows 2019.4 through 2019.4.1


Resolved in versions:

  • Tableau Server on Linux 2019.1.12
  • Tableau Server on Linux 2019.2.8
  • Tableau Server on Linux 2019.3.4
  • Tableau Server on Linux 2019.4.2

  • Tableau Server on Windows 2019.1.12
  • Tableau Server on Windows 2019.2.8
  • Tableau Server on Windows 2019.3.4
  • Tableau Server on Windows 2019.4.2


Tableau Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Bridge (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Prep (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Reader (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Mobile (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.


Tableau Public Desktop (Back to top of page)

Severity: N/A
CVSS3 Score: N/A
Product Specific Notes: Not affected.