ADV-2015-001 Security Advisory: Buffer Overflow Vulnerability

Version 2

    Severity: Critical

     

    Description: Due to a buffer overflow in a third-party component of Tableau Server, remote attackers could cause a denial of service or inject and run arbitrary code on the computer running Tableau Server.

     

    Vulnerable Versions: Tableau Server 8.1 (through 8.1.23), 8.2 (through 8.2.16), 8.3 (through 8.3.11), 9.0 (through 9.0.8), 9.1 (through 9.1.2)

     

    Conditions: Any Tableau Server instances are vulnerable to this exploit.

    The vulnerability cannot be exploited through web or Postgres interfaces.

    For security reasons, we don’t publish the steps to reproduce this security vulnerability.

     

    ImpactL Depending on the sophistication of the malicious users who launch an attack, buffer overflow impacts can vary widely. To understand the potential consequences of buffer overflow vulnerabilities, see the Common Consequences section of CWE-120 (Common Weakness Enumeration).

    None of these consequences have been observed outside of test laboratory conditions with this vulnerability.

     

    Resolution: Upgrade Tableau Server per the following guidance:

    Tableau Server 8.1.24

    Tableau Server 8.2.17

    Tableau Server 8.3.12

    Tableau Server 9.0.9

    Tableau Server 9.1.3

     

    Workaround: If you are running Tableau Server in a cluster, you can partially mitigate this vulnerability by closing ports in the server computer's firewall that are not needed. For access to Tableau Server from users over HTTP, open port 80. (If the server is configured to use SSL, open port 443 also.) You can then also open the ports that are used by Tableau Server processes, and allow traffic via those ports only for the IP addresses of the computers in the cluster. For more information Tableau Server processes and the ports they use, see Tableau Server Ports.

     

    Note: Limiting port access can reduce the threat, but does not eliminate it. Limit port access only as an interim step until you can upgrade Tableau Server to a version in which the vulnerability has been addressed.

    To set up IP filtering in a Tableau Server cluster, perform the following tasks on the primary Tableau node:

    1. Configure a fixed port for licensing communication. See Resolving "Unidentifiable license" or "The cluster is above its license capacity" Errors.
    2. Create an exception in Windows Firewall for the port you specified in Step 1. See the Microsoft Technet article, Add or Edit Firewall Rule.

    CVSS v2.0 Base Score: 9

    CVSS v2.0 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:P

    If you run network filtering (such as IP filtering noted above), then the CVSS v2.0 Base Score is 7.6 (High).For more information about vectors, see CVSS v2 Vector Definitions on the National Vulnerability Database site.