Skip navigation
1 2 Previous Next

Security Bulletins

17 Posts authored by: Joseph Salowey Employee

Severity: Medium

 

Summary: Tableau Prep does not properly validate filenames when opening a maliciously-crafted Packaged Tableau Flow File (.tflx). The resulting files can be written outside of the intended temporary location.

 

Impact: A Tableau Prep user who opens a maliciously-crafted Tableau Flow File can unknowingly write and overwrite files to any location the user has access to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep: 2018.1 through 2018.1.2

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep: 2018.2.1

Summary: Tableau Software has confirmed that currently supported versions of Tableau Server are not impacted by CVE-2017-12615, CVE-2017-12616 or CVE-2017-12617. 

 

Tableau Server uses a vulnerable version of Apache Tomcat, but the implementation does not set the readonly initialization parameter, as specified in CVE-2017-12615 and CVE-2017-12617.   Additionally, Tableau Server does not implement VirtualDirContexts as specified in CVE-2017-12616. 

 

Apache Tomcat will be updated to a later version in a future maintenance release.  

Severity: High

 

Summary: Tableau Desktop and Tableau server uses a version of FlexNet Publisher that contains a vulnerability. The vulnerability can be exploited by malicious, local users on Windows systems.

 

Impact: Attackers may gain elevated privileges on the computer running Tableau Desktop for Windows or on Tableau Server.

Vulnerable Versions: Tableau Desktop for Windows and Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2) and 10.4.0.

 

Mitigation: None.

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server and Tableau Desktop 9.0.24

Tableau Server and Tableau Desktop 9.1.21

Tableau Server and Tableau Desktop 9.2.20

Tableau Server and Tableau Desktop 9.3.18

Tableau Server and Tableau Desktop 10.0.13

Tableau Server and Tableau Desktop 10.1.11

Tableau Server and Tableau Desktop 10.2.5

Tableau Server and Tableau Desktop 10.3.3

Tableau Server and Tableau Desktop 10.4.1

 

More information: https://nvd.nist.gov/vuln/detail/CVE-2016-10395

 

Updates:

 

9/20/17 - corrected Resolution to include Tableau Desktop

9/25/17 - added 10.4 to the Vulnerable Versions List

10/18/17 - updated Resolution to include versions 9.0-9.3

11/9/17 - updated Resolution to include version 10.4

Severity: Medium

 

Summary: The latest release of Tableau Server includes an updated version of Apache HTTPD (2.4.26). Apache HTTPD 2.4.26 fixes five vulnerabilities. Specifically, Apache HTTPD 2.4.26 fixes a MIME overread vulnerability (CVE-2017-7679) that exposes the potential to disclose sensitive information.

 

Impact: A malicious exploit of the MIME overread vulnerability could result in sensitive information disclosure.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 9.0.24

Tableau Server 9.1.21

Tableau Server 9.2.20

Tableau Server 9.3.18

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

 

More information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679

 

Updates:

10/18/2017 - updated resolution to include fixes in 9.0 through 9.3

Severity: Medium

 

Summary: Tableau Server writes some sensitive information to the log files in plain text.

 

Impact: Malicious users with access to Tableau logs may be able to access passwords to data sources.

 

Vulnerable Versions: 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following version:

 

Tableau Server 10.3.3

Severity: High

 

Summary: A vulnerable version of Tableau Server configured for Site SAML contains a flaw that can be exploited by an attacker to log into a site that they are not a member of. The attacker must have site administrator privileges on a site on the same server.

Impact: An attacker could log into a site they do not have access to.

 

Vulnerable Versions: 10.0(through 10.0.12), 10.1 (through 10.1.10), 10.2 (through 10.2.4), 10.3 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

Severity: High

 

Summary:  An attacker can specially craft a Tableau Workbook to execute code on a victim's machine.  The attacker must convince the user to open the workbook to complete the attack. 

 

Vulnerable Versions: Tableau Desktop, Reader and Public 8.2.0 (through 8.2.19), 8.3.0 (through 8.3.14), 9.0.0 (through 9.0.16), 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.11), 9.3.0 (through 9.3.6), 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.2.20

Tableau Server 8.3.15

Tableau Server 9.0.17

Tableau Server 9.1.13

Tableau Server 9.2.11

Tableau Server 9.3.7

Tableau Server 10.0.1

 

Workaround:  None

 

Acknowledgement:  This issue was found internally

Severity: Medium

 

Summary:  An authenticated attacker with low privileges (that is, even a user who is not an administrator) can send a specially crafted message to Tableau Server that makes Tableau Server unresponsive for an extended period of time.

 

 

Vulnerable Versions: Tableau Server 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 10.0.1

 

Workaround:  None

 

Acknowledgement:  This issue was found internally

Severity:  Medium

 

Summary: Under certain conditions, information prepared for one user might be displayed to another user. For this problem to occur, both users must be looking at the same view, the view must be connected to a data source that returns different attribute values for each user, and the view must not have any user filters or user-specific calculations.

 

Vulnerable Versions: Tableau Server 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.10), 9.3.0 (through 9.3.5), 10.0.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.13

Tableau Server 9.2.11

Tableau Server 9.3.6

Tableau Server 10.0.1

 

Workaround: Customers whose deployment meets the conditions of the vulnerability should upgrade to a non-vulnerable version as soon as possible.

 

 

As a temporary measure, you can use either of the following mitigations:

  • Use the following command to disable the model cache on Tableau Server:

tabadmin set vizqlserver.modelcachesize 0

 

This change might impact the performance of Tableau Server, so we recommend reverting this setting after installing the Tableau upgrade.

 

Acknowledgement:  This vulnerability was reported to Tableau by a customer

Severity: Medium

 

Summary: An authenticated attacker with the ability to upload or edit a workbook might be able to trigger a cross-site scripting (XSS) vulnerability in Tableau Server. 

 

Vulnerable Versions: Tableau Server 8.2.0 (through 8.2.19), 8.3.0 (through 8.3.14), 9.0.0 (through 9.0.16), 9.1.0 (through 9.1.12), 9.2.0 (through 9.2.11), 9.3.0 (through 9.3.6), 10.0.0

 

Workaround:  None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 8.2.20

Tableau Server 8.3.15

Tableau Server 9.0.17

Tableau Server 9.1.13

Tableau Server 9.2.12

Tableau Server 9.3.7

Tableau Server 10.0.1

 

Acknowledgement:  This issue was found internally

Summary:  A team of security researchers recently disclosed an issue that has been named HTTPoxy.  Tableau has investigated the issue, and we believe that Tableau Server is not vulnerable. As a precaution, we will be updating the Apache configuration in the September maintenance releases to further assure protection from CVE-2016-5387.

 

NVD Announcement for NVD - CVE-2016-5387

 

Acknowledgement:  For more information on HTTPoxy, see https://httpoxy.org

Summary: On January 28, 2016 OpenSSL announced a high-severity vulnerability involving the use of Diffie-Hellman parameters based on unsafe primes. Our current determination is that Tableau Server, Tableau Desktop, Tableau Online, and Tableau Public are not affected by this vulnerability.

 

NVD Announcement for CVE-2016-0701: https://www.openssl.org/news/secadv/20160128.txt

Severity: Medium

 

Summary: When Salesforce Canvas Adapter for Tableau (also known as Tableau Sparkler) is used with Salesforce, under certain circumstances an authenticated user can impersonate another Tableau Server user.  See this KB article for more information.

 

Vulnerable Versions:

All versions of Salesforce Canvas Adapter for Tableau, also known as Tableau Sparkler, through 1.0.1

 

Resolution: The issue can be fixed by upgrading to the following Sparkler version:

Tableau Sparklers 1.0.2

Severity: Medium

 

Summary: Under certain conditions a user might inadvertently store the credentials (such as username and password) for a data source (such as a database login) in a workbook.  See this KB article for more information.

 

Vulnerable Versions: Tableau Desktop 8.2 (through 8.2.13), 8.3 (through 8.3.8), 9.0 (through 9.0.4)

Tableau Server 8.2 (through 8.2.13), 8.3 (through 8.3.8), 9.0 (through 9.0.4)

Tableau Online

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server or Tableau Desktop versions:

Tableau Desktop 8.2.14

Tableau Desktop 8.3.9

Tableau Server 9.0.5

Severity: Medium

 

Summary: In Tableau Desktop for Mac, certificates that are configured as "Never Trust" in the keychain are trusted by Tableau Desktop. See this KB article for more information.

 

Vulnerable Versions:

Tableau Desktop 8.2 (through 8.2.15), 8.3 (through 8.3.10), 9.0 (through 9.0.7),9.1.0 (through 9.1.1)

 

Conditions: This vulnerability only affects Tableau Desktop running on Mac OS X.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Desktop versions:

Tableau Desktop: 8.2.16

Tableau Desktop: 8.3.11

Tableau Desktop: 9.1.2