ADV-2016-003- Information Regarding: CVE-2016-2108

Version 2

    Severity: High

     

    Summary: On May 3, 2016 OpenSSL announced a patch for a high severity vulnerability, CVE-2016-2108 which may continue to impact Tableau Server users.

     

    Vulnerable Versions: Tableau Server  8.2.0 (through 8.2.20) 8.3.0 (through 8.3.14) 9.0.0 (through 9.0.15) 9.1.0 (through 9.1.9) 9.2.0 (through 9.2.7) 9.3.0

     

    Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

    Tableau Server: 8.2.21

    Tableau Server: 8.3.15

    Tableau Server: 9.0.16

    Tableau Server: 9.1.10

    Tableau Server: 9.2.8

    Tableau Server: 9.3.1

     

    Workaround: Tableau Software development teams are working to integrate the announced patched versions of OpenSSL in upcoming releases of Tableau Server. When the releases are available it is advised to promptly update to the latest versions of Tableau Server.

    CVE-2016-2108 If utilizing Postgres with SSL the risk can be mitigated by following resolution below:

    Limit external access to Postgres (for example, using firewall rules).

     

    Additional Information: Tableau Server uses two different versions of OpenSSL in its code:

    Apache and platform code - 1.0.2g

    Postgres (not enabled by default) - 1.0.1m

     

    Postgres implementations of OpenSSL are still vulnerable to this issue and will be updated in a future maintenance release.   Customers that have enabled SSL for Postgres should restrict access to the Postgres service using firewall rules.  By default the configuration does not allow access to the Postgres service from external hosts.

     

    Resources:

     

    NVD Announcement for CVE-2016-2108: https://nvd.nist.gov/vuln/detail/CVE-2016-2108