[Important] ADV-2016-004- Information Regarding: CVE-2016-2107

Version 4

    Severity: Medium

     

    Summary: On May 3, 2016 OpenSSL announced a patch for a medium severity vulnerability, CVE-2016-2107 which may continue to impact Tableau Server users.

     

    Vulnerable versions: Tableau Server  8.2.0 (through 8.2.20) 8.3.0 (through 8.3.14) 9.0.0 (through 9.0.15) 9.1.0 (through 9.1.9) 9.2.0 (through 9.2.7) 9.3.0

     

    Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:

    Tableau Server: 8.2.21

    Tableau Server: 8.3.15

    Tableau Server: 9.0.16

    Tableau Server: 9.1.0

    Tableau Server: 9.2.0

    Tableau Server: 9.3.0

     

    Workaround: Configure Tableau Server to remove the vulnerable ciphersuites.

    Please note: this workaround may impact interoperability with some clients, such as Internet Explorer.

    Launch the Command Prompt as an administrator

    Navigate to the Tableau Server bin folder, the default location is C:\Program Files\Tableau\Tableau Server\9.3\bin

    Run the following commands:

    tabadmin set ssl.protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

    tabadmin set ssl.ciphersuite "AESGCM"

    tabadmin config

    tabadmin restart

     

    Additional Information         

    Tableau Server uses two different versions of OpenSSL in its code:

    Apache and platform code - 1.0.2g

    Postgres (not enabled by default) - 1.0.1m

     

    Resources: