Skip navigation
1 2 Previous Next

Security Bulletins

16 Posts authored by: Erik Pearson Employee

Summary: Tableau Software has confirmed that no version of Tableau Server currently supported is impacted by CVE-2017-9805. Tableau Software has also confirmed that Tableau Online is not impacted by CVE-2017-9805.

 

Tableau Server versions 10.0.0 – 10.0.10 and 10.1.0 – 10.1.8 did ship with the Struts components but were not used in a way that is vulnerable and have been removed.

Severity: High

 

Summary: An authenticated remote attacker can send a specially crafted message that can result in the disclosure of information from Tableau Server.

 

Impact: Exploits of the authenticated API call can result in the disclosure of information that the Tableau Server Run As User service account has access to.

 

Vulnerable Versions: 9.3.0 (through 9.3.15), 10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Workarounds: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

Severity: High

 

Summary: Tableau Desktop on the Mac includes MySQL driver. The MySQL driver, version 5.3.4 and earlier contains an outdated, vulnerable version of OpenSSL library (1.0.1g). The following Tableau connectors use the MySQL driver: Amazon Aurora, Google Cloud

SQL, MemSQL, MongoDB BI Connector and MySQL.

 

Impact: Users running Tableau Desktop on the Mac who create connections with MySQL over SSL are exposed to the vulnerability. The vulnerability may result in denial of service or remote code execution.

 

Vulnerable Versions: Tableau Desktop on the Mac 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2), 10.3.0.

The MySQL driver was not included on versions prior to 9.3.15. However, the driver may have been installed on earlier versions of Tableau Desktop by users who downloaded the MySQL driver directly from Oracle.

 

Resolution: As of the new releases listed here, Tableau no longer installs the MySQL driver in the Tableau Desktop on the Mac.

Tableau Desktop on the Mac: 9.3.16

Tableau Desktop on the Mac: 10.0.11

Tableau Desktop on the Mac: 10.1.9

Tableau Desktop on the Mac: 10.2.3

Tableau Desktop on the Mac: 10.3.1

 

We recommend that customers remove the MySQL driver until an updated version is provided by Oracle. For more information, see Driver Download.

 

Customers running Mac Sierra or later can install a current version of MySQL driver, which no longer uses the OpenSSL library. More Information: The OpenSSL vulnerability is documented on the NIST website at CVE-2016-2108 Detail.

Severity: High

 

Summary: Tableau Server and Tableau Desktop include an outdated version of libtiff, a third-party, vulnerable dynamic link library.

 

Impact: Exploits of the outdated version rely on buffer overflows and other vulnerabilities which could result in denial-of-service attacks and remote code execution.

 

Vulnerable Versions: 8.3 (through 8.3.19), 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server and Tableau Desktop versions:

Tableau Server, Tableau Desktop: 8.3.20

Tableau Server, Tableau Desktop: 9.0.23

Tableau Server, Tableau Desktop: 9.1.20

Tableau Server, Tableau Desktop: 9.2.19

Tableau Server, Tableau Desktop: 9.3.16

Tableau Server, Tableau Desktop: 10.0.11

Tableau Server, Tableau Desktop: 10.1.9

Tableau Server, Tableau Desktop: 10.2.3

 

More Information: the following vulnerabilities are resolved with the latest upgrade:

CVE-2016-9535

CVE-2015-7554

CVE-2016-8331

CVE-2016-6223

CVE-2016-9448

CVE-2016-5323

CVE-2016-9297

CVE-2016-5315

CVE-2016-5317

CVE-2016-5321

CVE-2016-5318

CVE-2016-9273

CVE-2015-8683

CVE-2015-8665

CVE-2015-1547

CVE-2014-9655 See https://cve.mitre.org/index.html for an index of CVEs.

Severity: Medium

 

Summary: Tableau Server includes an unauthenticated API that generates a non-trivial amount of work on the server.

 

Impact: Exploits of the unauthenticated API call could result in a slow or unresponsive Tableau Server.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.0.23

Tableau Server: 9.1.20

Tableau Server: 9.2.19

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Summary: Tableau engineering is aware and responding to the recent WannaCrypt/WannaCry ransomware malware. Tableau has deployed the necessary patches to secure the integrity of our systems and information and maintains up-to-date anti-malware software. Tableau encourages its customers to review patching in their environments to ensure MS17-010 is applied to all Windows systems and all systems have up to date anti-malware signatures.

 

Microsoft MS17-010 Critical Bulletin: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

SANS Internet Storm Center Summary: https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

Severity: Critical

 

Summary: Unauthenticated users can craft requests that will execute arbitrary SQL statements in the repository (Postgres) database on Tableau Server.

 

Impact: This vulnerability poses a potential for remote attackers to gain administrative access to Tableau Server.

 

Vulnerable Versions: Tableau Server 9.2 (through 9.2.17), 9.3 (through 9.3.14), 10.0 (through 10.0.9), 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Mitigation: To mitigate this vulnerability, run the following tabadmin commands:

tabadmin stop

tabadmin set vizqlserver.httprequests.logging.threads 0

tabadmin configure

tabadmin start

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.2.18

Tableau Server: 9.3.15

Tableau Server: 10.0.10

Tableau Server: 10.1.8

Tableau Server: 10.2.2

Severity: Medium

 

Summary: Tableau Server writes some sensitive information to the log files in plain text.

 

Impact: Malicious users with access to Tableau logs can access passwords to data sources or secrets used to encrypt private keys used in SSL/TLS communication.

 

Vulnerable Version: Tableau Server 10.2 (through 10.2.1).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server version:

 

Tableau Server: 10.2.2

Severity: Medium

 

Summary: This vulnerability requires that a malicious user embeds specific parameters in a Tableau workbook. The malicious user must also have rights to publish the workbook on Tableau Server. The malicious user must then construct a specially crafted URL to enable arbitrary javascript to run in the victim's browser at run time.

 

Impact: When users open the modified workbook via the specially crafted URL, arbitrary javascript can run in their browser session.

 

Vulnerable Versions: Tableau Server 10.1 (through 10.1.7), 10.2 (through 10.2.1).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.1.8

Tableau Server: 10.2.2

Summary: The Tableau Software security engineering team has confirmed that Tableau Online and Tableau Public servers are not vulnerable to the recently disclosed Intel AMT privilege escalation vulnerability.

 

NVD Announcement for CVE-2017-5689: https://nvd.nist.gov/vuln/detail/CVE-2017-5689

Severity: Medium

 

Summary: On Tableau Server, the administrative view, ‘‘Who has seen this view?,’’ is a link that is displayed to users who publish views. The underlying URL can be manipulated to disclose metadata for all workbooks on the current site, regardless of the current user’s permissions.

 

Impact: Any Tableau Server user who has View role can construct a URL to view the usernames, sheet names, and view counts for workbooks on the current site.

 

Vulnerable Versions:Tableau Server 8.3 (through 8.3.18), 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5)

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.3.19

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

Summary: Tableau Software security engineering has confirmed that no version of Tableau Server, current or previous, is impacted by CVE-2017-5638

 

NVD Annoucement: CVE-2017-5638

Summary: Tableau Software security engineering has confirmed that no version of Tableau Server, current or previous, is impacted by CVE-2016-3081.

 

NVD Announcement for CVE-2016-3081

Severity: Medium

 

Summary: Trusted authentication (trusted tickets) on Tableau Server allows authenticated REST API calls to access restricted content.

In the default configuration, users authenticated with trusted tickets have restricted access such that only views are available. Access to workbooks, project pages, or other content hosted on the server is restricted.

 

Impact: A REST API session established with a restricted trusted ticket is able to perform more actions on Tableau Server than documented. However, all actions are scoped to the access that the account is authorized for.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)

 

Conditions: The REST API must be enabled. The server must be configured for trusted authentication.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

 

The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.

Severity: Medium

 

Summary: The Tableau Server fails to scope the permission check for some resource requests when the requests are from a site administrator.

 

Impact: A site administrator from one site may view limited metadata (e.g., workbook names) of resources stored on another site on the same Tableau Server.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.21), 9.1 (through 9.1.17), 9.2 (through 9.2.16), 9.3 (through 9.3.13), 10.0 (through 10.0.7), 10.1 (through 10.1.5), 10.2 (through 10.2.0)

 

Conditions: The user must be a Site Administrator on the server and the resource must be associated with a scheduled task.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.0.22

Tableau Server 9.1.18

Tableau Server 9.2.17

Tableau Server 9.3.14

Tableau Server 10.0.8

Tableau Server 10.1.6

Tableau Server 10.2.1

 

The remediation for this vulnerability is not yet available for Tableau Server 10.2. The remediation will be included in a future 10.2 maintenance release. This vulnerability disclosure will be updated when the 10.2 fix is released.