Skip navigation

Severity: Medium

 

Summary: Tableau Services Manager (TSM) CLI logs all commands and their parameters to a local log file. When sensitive parameters are given, such as the password parameter used to authenticate to TSM, the value is written to the log in plaintext.

The TSM CLI component is included Tableau Server on Linux.  Tableau Server on Windows is not affected by this vulnerability.

 

Impact: Malicious users with access to the TSM CLI logs can access passwords that are used for authenticating Tableau Server Manager.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server for Linux 10.5 (through 10.5.4)

Tableau Server on Linux 2018.1 (through 2018.1.1)

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 10.5.5

Tableau Server on Linux 2018.1.2

 

Acknowledgements: This issue was reported to Tableau by Paul Grimshaw (Totally Techy)

Severity: Medium

 

Summary: The authentication mechanism on the internal REST service that is used by Tableau Prep can be bypassed. The REST service runs only while Tableau Prep is being used. Since the REST service only listens on localhost, an attacker would have to have access to execute code on the host to exploit this vulnerability. In the remote case, a user would have to visit a malicious website that exploits the vulnerability.

 

Impact: An attacker that can make calls to the REST service can read data from the datasources that Tableau Prep is connected to.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Prep through 2018.1 through 2018.1.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Prep 2018.1.2 or later

Severity:  Critical

 

Summary: Some versions of Tableau Server contain a vulnerability that allows a malicious user with publishing privileges to publish a workbook that runs malicious code. The vulnerability allows the code to run with the security privileges of the Tableau Server service account ("Run As User" account on Windows and the "tableau" system user on Linux). Deployments that allow untrusted publishers or use sites to enforce security policies are at highest risk from this vulnerability.

 

Tableau Desktop is also vulnerable, which can be exploited when a user opens a maliciously crafted workbook. 

 

Tableau Online and the Tableau Public community platform are not affected by this vulnerability.

 

Impact:  Remote code execution that could impact the confidentiality, integrity, and availability of Tableau Server.  This vulnerability could allow a malicious user hosted on one site of a Tableau Server instance to compromise another site that is hosted on the same computer.

 

On Tableau Desktop, the vulnerability could result in the execution of malicious code that could impact confidentiality, integrity, and availability of the computer running Tableau Desktop. In the Desktop scenario, the code runs in the security context of the user who opens the compromised workbook.

 

Vulnerable Versions: The following versions of Tableau Server and Tableau Desktop (including Tableau Desktop Public Edition and Tableau Reader) are vulnerable:

Tableau Server on Linux through 10.5.3
Tableau Server on Linux through 2018.1.0


Tableau Server on Windows through 9.2.23
Tableau Server on Windows through 9.3.21
Tableau Server on Windows through 10.0.17
Tableau Server on Windows through 10.1.16
Tableau Server on Windows through 10.2.12
Tableau Server on Windows through 10.3.10

 

Tableau Desktop through 9.2.23
Tableau Desktop through 9.3.21
Tableau Desktop through 10.0.17
Tableau Desktop through 10.1.16
Tableau Desktop through 10.2.12
Tableau Desktop through 10.3.10

 

The following versions are not vulnerable:

  • Tableau Desktop 10.4, 10.5 and 2018.1 on Windows or Mac.
  • Tableau Server on Windows 10.4.x
  • Tableau Server on Windows 10.5.x
  • Tableau Server on Windows 2018.1

 

Resolution: The issue can be fixed by upgrading to the following version:

 

Tableau Server on Windows - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11

 

Tableau Server on Linux - 2018.1.1, 10.5.4

 

Tableau Desktop - 9.2.24, 9.3.22, 10.0.18, 10.1.17, 10.2.13, 10.3.11

Severity: Medium

 

Summary: Tableau Services Manager (TSM) passes a sensitive value via the command line during node initialization.

 

TSM is included with Tableau Server on Linux.  Tableau Server on Windows in not affected by this vulnerability.

 

Impact: Malicious users with access to the host and the ability to view the process list, could view process attributes, including the TSM administrator password.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Linux 2018.1 (through 2018.1.0).

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 2018.1.1

Severity: High

 

Summary: An authenticated remote attacker can send a specially crafted message that can result in the disclosure of information from Tableau Server. The scope of the disclosure of information is bound by access privileges of the Tableau Server service account. For more information about Tableau Server service account, see the online documentation (Windows | Linux).

 

Impact: Exploits of the authenticated API call can result in the disclosure of information for any local file that the Tableau Server service account can read.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.23 

Tableau Server: 9.3 through 9.3.21 

Tableau Server: 10.0 through 10.0.17 

Tableau Server: 10.1 through 10.1.16

Tableau Server: 10.2 through 10.2.12 

Tableau Server: 10.3 through 10.3.10 

Tableau Server: 10.4 through 10.4.6 

Tableau Server on Windows: 10.5 through 10.5.3

Tableau Server on Linux: 10.5 through 10.5.3

Tableau Server on Windows: 2018.1

Tableau Server on Linux: 2018.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.24 

Tableau Server: 9.3.22 

Tableau Server: 10.0.18 

Tableau Server: 10.1.17

Tableau Server: 10.2.13 

Tableau Server: 10.3.11 

Tableau Server: 10.4.7 

Tableau Server on Windows: 10.5.4

Tableau Server on Linux: 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

Severity: High

 

Summary: The 'readonly' and 'tableau' users in the repository are intended to have limited access to the tables in the repository. See "Collect Data with the Tableau Server Repository" (Windows | Linux).

 

By default, these accounts have access to tables in the repository. This vulnerability exposes write-access to two tables in the repository that may contain workbook information.

 

Impact: Malicious users with access to the 'readonly' or 'tableau' repository accounts can access datasources that are embedded in published workbooks. Malicious users may also modify the contents of workbooks stored in the vulnerable tables.

 

Mitigation: Disable access to the repository for the 'readonly' and 'tableau' user accounts:

Windows: http://onlinehelp.tableau.com/v2018.1/server/en-us/tabadmin_cmd.htm#dbpass

Linux: https://onlinehelp.tableau.com/v2018.1/server-linux/en-us/cli_data-access.htm#repository-access-disable

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server: 9.2 through 9.2.23

Tableau Server: 9.3 through 9.3.21

Tableau Server: 10.0 through 10.0.17

Tableau Server: 10.1 through 10.1.16

Tableau Server: 10.2 through 10.2.12

Tableau Server: 10.3 through 10.3.10

Tableau Server: 10.4 through 10.4.6

Tableau Server on Windows: 10.5 through 10.5.3

Tableau Server on Linux: 10.5 through 10.5.3

Tableau Server on Windows: 2018.1

Tableau Server on Linux: 2018.1

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server: 9.2.24

Tableau Server: 9.3.22

Tableau Server: 10.0.18

Tableau Server: 10.1.17

Tableau Server: 10.2.13

Tableau Server: 10.3.11

Tableau Server: 10.4.7

Tableau Server on Windows: 10.5.4

Tableau Server on Linux: 10.5.4

Tableau Server on Windows: 2018.1.1

Tableau Server on Linux: 2018.1.1

Severity: Medium

 

Summary: Tableau Services Manager (TSM) can expose sensitive information if an unauthenticated API endpoint is queried while a TSM job is in-progress.

 

Tableau Services Manager is a component that is included with Tableau Server on Linux.  Tableau Server on Windows is not affected by this vulnerability.

 

Impact: Malicious users that can make API calls to Tableau Services Manager can learn sensitive information, such as passwords that are used for authenticating internal services on Tableau Server.

 

Vulnerable Versions:  The following versions have this vulnerability:

Tableau Server on Linux 10.5 (through 10.5.3)

Tableau Server on Linux 2018.1

 

Resolution: The issue can be fixed by upgrading to the following versions:

Tableau Server on Linux 10.5.4

Tableau Server on Linux 2018.1.1

Severity: Medium

 

Summary: The Tableau Services Manager (TSM) logs all configuration value changes to a local log file. When sensitive values are changed, such as the filestore.zookeeper.password, both the old and new value are written to the log in plaintext.

The Tableau Services Manager component is included Tableau Server on Linux. Tableau Server on Windows in not affected by this vulnerability.

 

Impact: Malicious users with access to the Tableau Services Manager logs can access passwords that are used for authenticating internal services on Tableau Server.

 

Vulnerable Versions: The following versions have this vulnerability:

Tableau Server on Linux 10.5 (through 10.5.1).

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Server on Linux 10.5.2

Severity: Medium

 

Summary: An API call that is used to retrieve a user image on Tableau Server lacks an access control check resulting in the possibility for an authenticated user to obtain the image of a user on another site. 

 

Impact: This vulnerability allows an authenticated user to obtain the image of a user on another site. 

 

Vulnerable Versions: The following versions of Tableau Server are vulnerable

Tableau Server: 10.1 through 10.1.12
Tableau Server: 10.2 through 10.2.7
Tableau Server: 10.3 through 10.3.5
Tableau Server: 10.4 through 10.4.1
Tableau Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Server: 10.1.13
Tableau Server: 10.2.8
Tableau Server: 10.3.7
Tableau Server: 10.4.3
Tableau Server: 10.5.1

Severity: Medium

 

Summary: An API call lacks an authorization check in a function. This vulnerability may result in disclosing a friendly user name for a user on another site on the Tableau Server.  The vulnerable API may be called by any authenticated user on a site. 

 

Impact: Disclosure of a friendly username of a user on another site. 

 

Vulnerable Versions: The following versions of Tableau Server are Vulnerable

Tableau Server: 9.1 through 9.1.21
Tableau Server: 9.2 through 9.1.20
Tableau Server: 9.3 through 9.3.18
Tableau Server: 10.0 through 10.0.14
Tableau Server: 10.1 through 10.1.12
Tableau Server: 10.2 through 10.2.7
Tableau Server: 10.3 through 10.3.5
Tableau Server: 10.4 through 10.4.1
Tableau Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Server: 9.1.22
Tableau Server: 9.2.21
Tableau Server: 9.3.19
Tableau Server: 10.0.15
Tableau Server: 10.1.13
Tableau Server: 10.2.8
Tableau Server: 10.3.7
Tableau Server: 10.4.3
Tableau Server: 10.5.1

Severity: Medium

 

Summary: Dashboard web objects in Tableau Desktop can execute untrusted javascript and may therefore be vulnerable to information disclosure through Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715).

 

Web data connectors on Tableau Server and Tableau Desktop execute javascript code and therefore, may also be vulnerable to SpectreAs a mitigation for Tableau Server, you can configure a safe list so web data connectors can only run from trusted URLs. See Web Data Connectors.

 

Impact: This vulnerability may allow an attacker to read some memory in the same process the executes the untrusted javascript code. 

 

Vulnerable Versions: The following versions of Tableau Desktop and Tableau Server are Vulnerable

Tableau Desktop and Server: 9.1 through 9.1.21
Tableau Desktop and Server: 9.2 through 9.2.20
Tableau Desktop and Server: 9.3 through 9.3.18
Tableau Desktop and Server: 10.0 through 10.0.14
Tableau Desktop and Server: 10.1 through 10.1.12
Tableau Desktop and Server: 10.2 through 10.2.7
Tableau Desktop and Server: 10.3 through 10.3.5
Tableau Desktop and Server: 10.4 through 10.4.1
Tableau Desktop and Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Desktop and Server: 9.1.22
Tableau Desktop and Server: 9.2.21
Tableau Desktop and Server: 9.3.19
Tableau Desktop and Server: 10.0.15
Tableau Desktop and Server: 10.1.13
Tableau Desktop and Server: 10.2.8
Tableau Desktop and Server: 10.3.7
Tableau Desktop and Server: 10.4.3
Tableau Desktop and Server: 10.5.1

Severity: High

 

Summary: A heap overflow vulnerability in Tableau Server and Tableau Desktop may result in code execution. To exploit this vulnerability on Tableau Server, the attacker must be an authenticated user with the ability to publish views or workbooks. On Tableau Desktop, this vulnerability is exploited when a user opens a malicious file.

 

Impact: An attacker exploiting this vulnerability may be able to execute arbitrary code or cause a crash.

 

Vulnerable Versions: The following versions of Tableau Desktop and Tableau Server are vulnerable

Tableau Desktop and Server: 9.1 through 9.1.21
Tableau Desktop and Server: 9.2 through 9.1.20
Tableau Desktop and Server: 9.3 through 9.3.18
Tableau Desktop and Server: 10.0 through 10.0.14
Tableau Desktop and Server: 10.1 through 10.1.12
Tableau Desktop and Server: 10.2 through 10.2.7
Tableau Desktop and Server: 10.3 through 10.3.5
Tableau Desktop and Server: 10.4 through 10.4.1
Tableau Desktop and Server: 10.5 through 10.5.0

 

Resolution:  The issue can be fixed by upgrading to the following version:

Tableau Desktop and Server: 9.1.22
Tableau Desktop and Server: 9.2.21
Tableau Desktop and Server: 9.3.19
Tableau Desktop and Server: 10.0.15
Tableau Desktop and Server: 10.1.13
Tableau Desktop and Server: 10.2.8
Tableau Desktop and Server: 10.3.7
Tableau Desktop and Server: 10.4.3
Tableau Desktop and Server: 10.5.1

 

Acknowledgement:  This vulnerability was discovered by Kushal Arvind Shah of Fortinet's FortiGuard Labs.

Tableau Software is evaluating the vulnerabilities disclosed on January 4th, 2018: Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

 

The Tableau Software security team is investigating how these vulnerabilities may or may not manifest in Tableau products.

 

 

2018-01-05 Update:

On-Premise Products:

The Tableau Software security team is investigating how these vulnerabilities may or may not manifest in Tableau products. Be sure to update your operating systems according to your patching and security program requirements.  See "Additional Resources" below.

 

Tableau Online and Public:

Tableau Operations team is working to apply the published patches for these vulnerabilities in Tableau Online and Public infrastructure. No customer action is required.

 

2018-02-22 Update:

On-Premise Products:

The Tableau Software security team has identified areas within Tableau products that may run untrusted JavaScript and are possibly vulnerable to Spectre-related side-channel attacks. Please see the following important security bulletin for more information: [Important] ADV-2018-002: Spectre Vulnerability in Tableau Desktop and Tableau Server

 

Tableau Online and Public:

The Tableau Operations team is continuing to monitor vendor responses to these vulnerabilities and apply updates as they are released. The maintenance release containing the above Tableau product patch has been applied in all Online environments. No customer action is required.

 

Additional Resources:

For more information on these vulnerabilities and their remediation, see:

Severity: Medium

 

Summary: The Tableau Bridge client logs data source passwords to the TabOnlineSyncSvc.log logfile. This logfile is located on the host running the Bridge client. Only Tableau Desktop installations using Tableau Bridge feature are vulnerable to this information disclosure.

 

Impact: Malicious users with access to the Tableau Bridge client logs can access passwords to data sources that the Bridge client has connected to.

 

Vulnerable Versions: The Tableau Bridge client is included with Tableau Desktop for Windows. The following versions have this vulnerability: 10.3 (through 10.3.5), 10.4 (through 10.4.1).

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop for Windows 10.3.7

Tableau Desktop for Windows 10.4.3

Summary: Tableau Software has confirmed that currently supported versions of Tableau Server are not impacted by CVE-2017-12615, CVE-2017-12616 or CVE-2017-12617. 

 

Tableau Server uses a vulnerable version of Apache Tomcat, but the implementation does not set the readonly initialization parameter, as specified in CVE-2017-12615 and CVE-2017-12617.   Additionally, Tableau Server does not implement VirtualDirContexts as specified in CVE-2017-12616. 

 

Apache Tomcat will be updated to a later version in a future maintenance release.