Skip navigation

Tableau Software is evaluating the vulnerabilities disclosed on January 4th, 2018: Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

 

The Tableau Software security team is investigating how these vulnerabilities may or may not manifest in Tableau products.

 

 

2018-01-05 Update:

On-Premise Products:

The Tableau Software security team is investigating how these vulnerabilities may or may not manifest in Tableau products. Be sure to update your operating systems according to your patching and security program requirements.  See "Additional Resources" below.

 

Tableau Online and Public:

Tableau Operations team is working to apply the published patches for these vulnerabilities in Tableau Online and Public infrastructure. No customer action is required.

 

2018-02-22 Update:

On-Premise Products:

The Tableau Software security team has identified areas within Tableau products that may run untrusted JavaScript and are possibly vulnerable to Spectre-related side-channel attacks. Please see the following important security bulletin for more information: [Important] ADV-2018-002: Spectre Vulnerability in Tableau Desktop and Tableau Server

 

Tableau Online and Public:

The Tableau Operations team is continuing to monitor vendor responses to these vulnerabilities and apply updates as they are released. The maintenance release containing the above Tableau product patch has been applied in all Online environments. No customer action is required.

 

Additional Resources:

For more information on these vulnerabilities and their remediation, see:

Severity: Medium

 

Summary: The Tableau Bridge client logs data source passwords to the TabOnlineSyncSvc.log logfile. This logfile is located on the host running the Bridge client. Only Tableau Desktop installations using Tableau Bridge feature are vulnerable to this information disclosure.

 

Impact: Malicious users with access to the Tableau Bridge client logs can access passwords to data sources that the Bridge client has connected to.

 

Vulnerable Versions: The Tableau Bridge client is included with Tableau Desktop for Windows. The following versions have this vulnerability: 10.3 (through 10.3.5), 10.4 (through 10.4.1).

 

Resolution: The issue can be fixed by upgrading to the following version:

Tableau Desktop for Windows 10.3.7

Tableau Desktop for Windows 10.4.3

Summary: Tableau Software has confirmed that currently supported versions of Tableau Server are not impacted by CVE-2017-12615, CVE-2017-12616 or CVE-2017-12617. 

 

Tableau Server uses a vulnerable version of Apache Tomcat, but the implementation does not set the readonly initialization parameter, as specified in CVE-2017-12615 and CVE-2017-12617.   Additionally, Tableau Server does not implement VirtualDirContexts as specified in CVE-2017-12616. 

 

Apache Tomcat will be updated to a later version in a future maintenance release.  

Severity: High

 

Summary: Tableau Desktop and Tableau server uses a version of FlexNet Publisher that contains a vulnerability. The vulnerability can be exploited by malicious, local users on Windows systems.

 

Impact: Attackers may gain elevated privileges on the computer running Tableau Desktop for Windows or on Tableau Server.

Vulnerable Versions: Tableau Desktop for Windows and Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2) and 10.4.0.

 

Mitigation: None.

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server and Tableau Desktop 9.0.24

Tableau Server and Tableau Desktop 9.1.21

Tableau Server and Tableau Desktop 9.2.20

Tableau Server and Tableau Desktop 9.3.18

Tableau Server and Tableau Desktop 10.0.13

Tableau Server and Tableau Desktop 10.1.11

Tableau Server and Tableau Desktop 10.2.5

Tableau Server and Tableau Desktop 10.3.3

Tableau Server and Tableau Desktop 10.4.1

 

More information: https://nvd.nist.gov/vuln/detail/CVE-2016-10395

 

Updates:

 

9/20/17 - corrected Resolution to include Tableau Desktop

9/25/17 - added 10.4 to the Vulnerable Versions List

10/18/17 - updated Resolution to include versions 9.0-9.3

11/9/17 - updated Resolution to include version 10.4

Severity: Medium

 

Summary: The latest release of Tableau Server includes an updated version of Apache HTTPD (2.4.26). Apache HTTPD 2.4.26 fixes five vulnerabilities. Specifically, Apache HTTPD 2.4.26 fixes a MIME overread vulnerability (CVE-2017-7679) that exposes the potential to disclose sensitive information.

 

Impact: A malicious exploit of the MIME overread vulnerability could result in sensitive information disclosure.

 

Vulnerable Versions: Tableau Server 9.0.0 (through 9.0.23), 9.1.0 (through 9.1.20), 9.2.0 (through 9.2.19) 9.3.0 (through 9.3.17), 10.0.0 (through 10.0.12), 10.1.0 (through 10.1.10), 10.2.0 (through 10.2.4), 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 9.0.24

Tableau Server 9.1.21

Tableau Server 9.2.20

Tableau Server 9.3.18

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

 

More information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679

 

Updates:

10/18/2017 - updated resolution to include fixes in 9.0 through 9.3

Severity: Medium

 

Summary: Tableau Server writes some sensitive information to the log files in plain text.

 

Impact: Malicious users with access to Tableau logs may be able to access passwords to data sources.

 

Vulnerable Versions: 10.3.0 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following version:

 

Tableau Server 10.3.3

Severity: High

 

Summary: A vulnerable version of Tableau Server configured for Site SAML contains a flaw that can be exploited by an attacker to log into a site that they are not a member of. The attacker must have site administrator privileges on a site on the same server.

Impact: An attacker could log into a site they do not have access to.

 

Vulnerable Versions: 10.0(through 10.0.12), 10.1 (through 10.1.10), 10.2 (through 10.2.4), 10.3 (through 10.3.2)

 

Resolution: The issue can be fixed by upgrading to the following versions:

 

Tableau Server 10.0.13

Tableau Server 10.1.11

Tableau Server 10.2.5

Tableau Server 10.3.3

Summary: Tableau Software has confirmed that no version of Tableau Server currently supported is impacted by CVE-2017-9805. Tableau Software has also confirmed that Tableau Online is not impacted by CVE-2017-9805.

 

Tableau Server versions 10.0.0 – 10.0.10 and 10.1.0 – 10.1.8 did ship with the Struts components but were not used in a way that is vulnerable and have been removed.

[Informational] INF-2017-005: Extract Refreshes can unhide columns

 

Summary: If you have any extracts on Tableau Server with hidden columns, when you refresh, the columns become unhidden.

 

This can lead to slower extract refreshes, larger extracts, slower viz performance, and making previously hidden columns visible to users.

 

See issue 670693 on https://www.tableau.com/support/known-issues.

 

Versions Affected : Tableau Server 10.2.3, Tableau Desktop 10.2.3

[Important] ADV-2017-018: Privilege escalation when using Mutual SSL on Tableau Server

 

Severity: Critical

 

Summary: There is an authentication bypass vulnerability that allows an attacker to authenticate as a Tableau Server user of their choice.

 

The vulnerability is exploitable when the following conditions are true:

  • Tableau Server is configured for Mutual SSL authentication (authentication with client certificates)
  • The insecure HTTP port (default is port 80) is accessible to an attacker

 

Impact: An unauthenticated attacker can access Tableau Server as a Tableau Server user.

 

Vulnerable Versions: 9.1.0 (through 9.1.19), 9.2.0 (through 9.2.18) 9.3.0 (through 9.3.16), 10.0.0 (through 10.0.11), 10.1.0 (through 10.1.9), 10.2.0 (through 10.2.3), 10.3.0 (through 10.3.1)

 

Mitigation: Disable the insecure HTTP port (default is port 80) on the computer running Tableau Server.

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server 9.1.20

Tableau Server 9.2.19

Tableau Server 9.3.17

Tableau Server 10.0.12

Tableau Server 10.1.10

Tableau Server 10.2.4

Tableau Server 10.3.2

[Important] ADV-2017-016: REST API may trigger refresh extracts on the wrong site

 

Severity: Medium

 

Summary: In some cases REST API calls intended for one site will refresh an extract for a different site hosted on the Tableau Server.

 

Impact: An extract on another site will be triggered. This results in unnecessary consumption of resources. In addition, workbook and data source names are disclosed as a byproduct of the extract refresh to the site that initiated the refresh.

 

Data from the extract or target data source are not disclosed.

 

Vulnerable Versions: 10.3.0 (through 10.3.1)

 

Mitigation: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 10.3.2

Severity: High

 

Summary: An authenticated remote attacker can send a specially crafted message that can result in the disclosure of information from Tableau Server.

 

Impact: Exploits of the authenticated API call can result in the disclosure of information that the Tableau Server Run As User service account has access to.

 

Vulnerable Versions: 9.3.0 (through 9.3.15), 10.0.0 (through 10.0.10), 10.1.0 (through 10.1.8), 10.2.0 (through 10.2.2), 10.3.0

 

Workarounds: None

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3

Tableau Server: 10.3.1

Severity: High

 

Summary: Tableau Desktop on the Mac includes MySQL driver. The MySQL driver, version 5.3.4 and earlier contains an outdated, vulnerable version of OpenSSL library (1.0.1g). The following Tableau connectors use the MySQL driver: Amazon Aurora, Google Cloud

SQL, MemSQL, MongoDB BI Connector and MySQL.

 

Impact: Users running Tableau Desktop on the Mac who create connections with MySQL over SSL are exposed to the vulnerability. The vulnerability may result in denial of service or remote code execution.

 

Vulnerable Versions: Tableau Desktop on the Mac 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2), 10.3.0.

The MySQL driver was not included on versions prior to 9.3.15. However, the driver may have been installed on earlier versions of Tableau Desktop by users who downloaded the MySQL driver directly from Oracle.

 

Resolution: As of the new releases listed here, Tableau no longer installs the MySQL driver in the Tableau Desktop on the Mac.

Tableau Desktop on the Mac: 9.3.16

Tableau Desktop on the Mac: 10.0.11

Tableau Desktop on the Mac: 10.1.9

Tableau Desktop on the Mac: 10.2.3

Tableau Desktop on the Mac: 10.3.1

 

We recommend that customers remove the MySQL driver until an updated version is provided by Oracle. For more information, see Driver Download.

 

Customers running Mac Sierra or later can install a current version of MySQL driver, which no longer uses the OpenSSL library. More Information: The OpenSSL vulnerability is documented on the NIST website at CVE-2016-2108 Detail.

Severity: High

 

Summary: Tableau Server and Tableau Desktop include an outdated version of libtiff, a third-party, vulnerable dynamic link library.

 

Impact: Exploits of the outdated version rely on buffer overflows and other vulnerabilities which could result in denial-of-service attacks and remote code execution.

 

Vulnerable Versions: 8.3 (through 8.3.19), 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server and Tableau Desktop versions:

Tableau Server, Tableau Desktop: 8.3.20

Tableau Server, Tableau Desktop: 9.0.23

Tableau Server, Tableau Desktop: 9.1.20

Tableau Server, Tableau Desktop: 9.2.19

Tableau Server, Tableau Desktop: 9.3.16

Tableau Server, Tableau Desktop: 10.0.11

Tableau Server, Tableau Desktop: 10.1.9

Tableau Server, Tableau Desktop: 10.2.3

 

More Information: the following vulnerabilities are resolved with the latest upgrade:

CVE-2016-9535

CVE-2015-7554

CVE-2016-8331

CVE-2016-6223

CVE-2016-9448

CVE-2016-5323

CVE-2016-9297

CVE-2016-5315

CVE-2016-5317

CVE-2016-5321

CVE-2016-5318

CVE-2016-9273

CVE-2015-8683

CVE-2015-8665

CVE-2015-1547

CVE-2014-9655 See https://cve.mitre.org/index.html for an index of CVEs.

Severity: Medium

 

Summary: Tableau Server includes an unauthenticated API that generates a non-trivial amount of work on the server.

 

Impact: Exploits of the unauthenticated API call could result in a slow or unresponsive Tableau Server.

 

Vulnerable Versions: Tableau Server 9.0 (through 9.0.22), 9.1 (through 9.1.19), 9.2 (through 9.2.18), 9.3 (through 9.3.15), 10.0 (through 10.0.10), 10.1 (through 10.1.8), 10.2 (through 10.2.2).

 

Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

Tableau Server: 9.0.23

Tableau Server: 9.1.20

Tableau Server: 9.2.19

Tableau Server: 9.3.16

Tableau Server: 10.0.11

Tableau Server: 10.1.9

Tableau Server: 10.2.3