Summary: On May 3, 2016 OpenSSL announced a patch for a medium severity vulnerability, CVE-2016-2107 which may continue to impact Tableau Server users.
Vulnerable versions: Tableau Server 8.2.0 (through 8.2.20) 8.3.0 (through 8.3.14) 9.0.0 (through 9.0.15) 9.1.0 (through 9.1.9) 9.2.0 (through 9.2.7) 9.3.0
Resolution: The issue can be fixed by upgrading to the following Tableau Server versions:
Tableau Server: 8.2.21
Tableau Server: 8.3.15
Tableau Server: 9.0.16
Tableau Server: 9.1.0
Tableau Server: 9.2.0
Tableau Server: 9.3.0
Workaround: Configure Tableau Server to remove the vulnerable ciphersuites.
Please note: this workaround may impact interoperability with some clients, such as Internet Explorer.
Launch the Command Prompt as an administrator
Navigate to the Tableau Server bin folder, the default location is C:\Program Files\Tableau\Tableau Server\9.3\bin
Run the following commands:
tabadmin set ssl.protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
tabadmin set ssl.ciphersuite "AESGCM"
Tableau Server uses two different versions of OpenSSL in its code:
Apache and platform code - 1.0.2g
Postgres (not enabled by default) - 1.0.1m