Skip navigation

Security Bulletins

13 Posts authored by: Julia.Ryan

Severity: Medium

 

Summary: Under certain conditions Tableau Mobile is vulnerable to a man-in-the-middle attack when connecting to Tableau Server. To exploit the vulnerability, an attacker must be able to intercept and modify the initial network messages, and force fallback to insecure communication. In some cases when Tableau Mobile connects to a host using a secure connection (HTTPS), the connection may fallback to an insecure connection (HTTP).

 

Impact: The attacker can intercept communications which may result in the disclosure of credentials.

 

Vulnerable Versions:

  • Tableau Mobile for iOS version 10.1.0 and earlier
  • Tableau Mobile for Android version 10.1.0.60.0 and earlier.

Resolution: Upgrade the Tableau Mobile application to the latest version available through Apple Application store or Google Play store.

 

 

Additional Information: The upgraded version of Tableau Mobile will not fallback to an insecure (HTTP) connection if the user specifies a secure (HTTPS) connection.

 

In all cases where SSL is enabled on Tableau Server, you should instruct users to specify a secure HTTPS URL (https://myserver.example.com) whenever they connect to Tableau Server. Discourage users from entering the hostname only.

 

If the hostname is used without "https://" or "http://", Tableau Mobile will attempt to connect with HTTPS first, but will fallback to HTTP if the connection fails.

Severity: Critical

 

Summary: The Tableau Server installation process leaves an account enabled that can allow an unauthorized remote attacker to gain access and perform administrative functions. This vulnerability does not affect installations that are configured to use Active Directory authentication.

 

Impact: Allows unauthorized disclosure of information, modification of information, and denial of service.  

 

Vulnerable Versions: 

* 7.0 to 8.2

* 8.3 (through 8.3.17)

* 9.0 (through 9.0.20)

* 9.1 (through 9.1.16) 

* 9.2 (through 9.2.15) 

* 9.3 (through 9.3.11)

* 10.0 (through 10.0.5) 

* 10.1 (through 10.1.3)

 

Conditions: Tableau Servers configured for local authentication with SAML, OAuth, OpenID, or TLS mutual authentication are vulnerable. To determine if your installation of Tableau Server is configured for local authentication, see the document Questions and Answers regarding ADV-2017-001.

Resolution: To mitigate this vulnerability, immediately change the user password and permissions.  See the document Questions and Answer regarding ADV-2017-001 for the necessary steps. 

After changing the user, schedule an upgrade to a non-vulnerable version of Tableau Server as soon as possible.

 

CVSSv3 Base Score: 9.8 (Critical)

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Acknowledgement: This vulnerability was found by a customer.

Severity: High

 

Summary: Tableau Server ships with a version of the Java Runtime Environment (JRE) that contains a vulnerability in Java Management Extensions (JMX).  By default, JMX is disabled on Tableau Server, and default installations are not exposed to this vulnerability.  However, customers who have enabled JMX to use monitoring tools such as TabMon or TabJolt might be exposed to this vulnerability

 

Vulnerable Versions: All current versions of Tableau Server are vulnerable.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.19

Tableau Server 9.1.15

Tableau Server 9.2.14

Tableau Server 9.3.09

Tableau Server 10.0.3


Workaround:  JMX is disabled by default.  If JMX has been enabled, run the following tabadmin commands to disable JMX:

tabadmin stop

tabadmin set service.jmx_enabled false

tabadmin configure

tabadmin start

 

Customers should enable JMX ports only for a specific use case (for example, at the request of Tableau Support). Even then, the ports should be accessible only to trusted users. For details, see Enable JMX Ports in the Tableau Server help.

 

Acknowledgement:  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3427

Severity: Medium

 

Summary: An authenticated attacker with the ability to upload or edit a workbook might be able to trigger a cross-site scripting (XSS) vulnerability in Tableau Server.  

 

Impact: Allows unauthorized disclosure and modification of information

 

Vulnerable Versions: Tableau Server 8.2 (through 8.2.20), 8.3 (through 8.3.15), 9.0 (through 9.0.18), 9.1 (through 9.1.14), 9.2 (through 9.2.13), 9.3 (through 9.3.8), 10.0 (through 10.0.2), 10.1 (through 10.1.0)

 

Conditions: The attacker must have permission to upload a workbook to Tableau Server and convince the victim to connect to it using a web browser.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.1.1
Tableau Server 10.0.3
Tableau Server 9.3.9
Tableau Server 9.2.14
Tableau Server 9.1.15
Tableau Server 9.0.19
Tableau Server 8.3.16
Tableau Server 8.2.21

 

Acknowledgement: This vulnerability was found internally

Severity: High

 

Summary: A vulnerability in the OpenSAML library (CVE-2013-6440) allows a remote unauthenticated attacker to conduct XML external entity (XXE) attacks against Tableau Server via a specially crafted XML DOCTYPE declaration.

 

Impact: Allows unauthorized disclosure of information

 

Vulnerable Versions: Tableau Server 8.2 (through 8.2.20), 8.3 (through 8.3.15), 9.0 (through 9.0.17), 9.1 (through 9.1.13), 9.2 (through 9.2.12), 9.3 (through 9.3.7), 10.0 (through 10.0.1)

 

Conditions: To be vulnerable, Tableau server must be configured for server-wide SAML authentication. Site-specific SAML authentication is not affected by this vulnerability. 

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.1
Tableau Server 10.0.2
Tableau Server 9.3.8
Tableau Server 9.2.13
Tableau Server 9.1.14
Tableau Server 9.0.18
Tableau Server 8.3.16
Tableau Server 8.2.21

 

Acknowledgement: This vulnerability was reported by Matias Brutti.

Severity: Critical

 

Summary: Heartbleed is a critical security vulnerability in the OpenSSL library (version 1.0.1). OpenSSL is an open source software that is used by many websites and software products, including some Tableau products.

 

Impact: The Heartbleed vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read, which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s Desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Server and Tableau Desktop products that communicate with other servers. For example a dashboard with a web page component embedded in it may access a remote SSL-enabled server.

 

Vulnerable Versions: Tableau Desktop 8.1.0 (through 8.1.5), 8.2.0 Beta, Tableau Server 8.1.0 (through 8.1.5), 8.2.0 Beta, Tableau Reader 8.1.0 (through 8.1.5)

 

Resolution: Upgrade Tableau to the following Versions:

Tableau Desktop: 8.1.6

Tableau Desktop: 8.2.0

Tableau Server: 8.1.6

Tableau Server: 8.2.0

Tableau Public: 8.1.6

 

 

For more information and questions see Heartbleed information document: Heartbleed Vulnerability | Tableau Software

Summary: If you or your organization uses Tableau Server 8.2 or earlier, you may be affected by the CVE-2014-3566 (POODLE) security vulnerability. This vulnerability can result in insecure or compromised transactions over SSLv3.

 

Follow the directions in the Knowledge base article below to disable SSLv3 in older versions.

 

SSL Vulnerability CVE-2014-3566 (POODLE) | Tableau Software

 

NVD Announcement for: CVE-2014-3566

Summary: Microsoft announced a critical vulnerability in its Internet Explorer product. This vulnerability allows remote code execution and denial of service attacks.

This issue can affect you if your Tableau workbook contains a dashboard on which you included either of the following:

  • A web part that targets a malicious site.
  • A URL action that directs to a malicious site.

 

Install the latest Internet Explorer security update from Microsoft, which fixes this vulnerability.

 

Knowledge base article below contains the windows updates considered most critical and is updated as issues are flagged to the team.

 

Resolving an Internet Explorer Critical Vulnerability that Affects Tableau | Tableau Software

Severity: Low-Medium

 

Summary: Under certain conditions a user who accesses a workbook as a Guest user can view data as the publisher of the data.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.2)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.3

 

Work around: In the meantime, disable Guest access.

 

Knowledgebase Article: Security Advisory: Guest Users Can See Data As the Publisher User | Tableau Software

Severity: High

 

Summary: A user can send a specially crafted request to Tableau Server that allows the user to impersonate a different user.

 

Vulnerable Versions: Tableau Server 8.1 (through 8.1.20), 8.2 (through 8.2.12), 8.3 (through 8.3.7), 9.0 (through 9.0.3)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.1.21

Tableau Server 8.2.13

Tableau Server 8.3.8

Tableau Server 9.0.4

 

Knowledgebase Article: Security Advisory: Users Can Be Impersonated | Tableau Software

Severity: Medium

 

Summary: Under certain conditions, a workbook viewed on Tableau Server shows data from a published data source on another site.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.2)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.3

Knowledgebase Article: Security Advisory: Workbook Shows Data From Different Site | Tableau Software

Summary: On March 3, 2015, a SSL/TLS security vulnerability nicknamed FREAK was discovered. FREAK allows attackers to intercept and potentially decrypt or alter HTTPS communication from vulnerable systems.

 

Tableau products have been upgraded to use the unaffected version of OpenSSL.   See the Knowledge base article below for more details.

 

NVD Announcement for: SSL CVE-2015-0204 | Tableau Software

Summary: You may have noticed an error message that is displayed when downloading Tableau products using Microsoft's Internet Explorer indicating that there is a "corrupt or invalid signature". This is due to a change that Microsoft made on January 1st of this year to no longer accept software signed by certificates using the SHA-1 signing algorithm.

 

We've since obtained a new code signing certificate that does not cause this error message because it uses the stronger SHA-2 signing algorithm. We are quickly working to re-sign our software using the new certificate, so you will see this error less and less as we update our signatures.

 

Resolution: The following versions of Tableau Products are fixed:

Tableau Desktop, Server, Public 8.1.25

Tableau Desktop, Server, Public 8.2.18

Tableau Desktop, Server, Public 8.3.13

Tableau Desktop, Server, Public 9.0.14

Tableau Desktop, Server, Public 9.1.8

Tableau Desktop, Server, Public 9.2.6