Skip navigation

Security Bulletins

5 Posts authored by: Matt Gizbert Employee

[Informational] INF-2017-005: Extract Refreshes can unhide columns

 

Summary: If you have any extracts on Tableau Server with hidden columns, when you refresh, the columns become unhidden.

 

This can lead to slower extract refreshes, larger extracts, slower viz performance, and making previously hidden columns visible to users.

 

See issue 670693 on https://www.tableau.com/support/known-issues.

 

Versions Affected : Tableau Server 10.2.3, Tableau Desktop 10.2.3

[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server

 

Severity: Critical

 

Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.

 

The vulnerability is exploitable when the following conditions are true:

  • Tableau Server is configured for Mutual SSL authentication (authentication with client certificates)
  • The insecure HTTP port (default is port 80) is accessible to an attacker

 

Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.

 

Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)

 

Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.20

Tableau Server 9.2.19

Tableau Server 9.3.17

Tableau Server 10.0.12

Tableau Server 10.1.10

Tableau Server 10.2.4

Tableau Server 10.3.2

[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site

 

Severity: Medium

 

Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.

 

Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.

 

Data from the extract or target data source are not disclosed.

 

Vulnerable Versions: 10.3.0 (through 10.3.1)

 

Mitigation: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2

[Important] ADV-2017-013: Unauthenticated privilege escalation when Server SAML is configured on Tableau Server

 

Severity: Critical

 

Summary:

Tableau Server is vulnerable to an unauthenticated privilege escalation under the following conditions:

      • Installations that have Server SAML and Local Authentication configured in tandem.

The following configurations are NOT vulnerable:

      • Installations that only use Site SAML.
      • User accounts that have been configured with an explicit password to enable REST API or tabcmd access.
      • Organizations that synchronize user accounts from Active Directory.

For guidance determining if your organization is running a vulnerable configuration, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Impact: An unauthenticated attacker can escalate their privilege to access resources with the permissions of other Tableau Server users.

 

Vulnerable Versions:

10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

 

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

 

Mitigation: If your Tableau Server instance is using one of the vulnerable configurations, and you are unable to upgrade to a fixed version now, see Questions and Answers regarding ADV-2017-013: Privilege escalation in Tableau Server.

 

Acknowledgement: Greg Harris of the Fitbit Security Team

Summary:

Tableau Online includes the feature "Admin Views," which allows authenticated site administrators to view usage, traffic, and other metadata on a given site.

 

On 23 May 2017, from 13:05 PST to 20:00 PST, site administrators could view metadata from other sites hosted on the same Tableau Online pod including: usernames (displayed as email addresses), workbook names, data source names, and view titles. Tableau Online usage statistics indicate that the potential metadata breach was limited to 36 people who logged in and used Admin Views during the outage period.

 

Data contained in the workbooks was not exposed.

 

Vulnerable Version: Tableau Online, pods 10AY and US-East-1

 

Resolution: As of 23 May 2017 20:00 PST the issue has been resolved.

No user action is required.