Heartbleed Vulnerability

Version 2

    Article Note: This article is no longer actively maintained by Tableau. We continue to make it available because the information is still valuable, but some steps may vary due to product changes.


    If you or your organization uses Tableau, you may be affected by the CVE-2014-0160 (Heartbleed) security vulnerability.

     

    Heartbleed is a critical security vulnerability in the OpenSSL library (version 1.0.1). OpenSSL is an open source software that is used by many websites and software products, including some Tableau products.

     

    The Heartbleed vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read, which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s Desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Server and Tableau Desktop products that communicate with other servers. For example a dashboard with a web page component embedded in it may access a remote SSL-enabled server.

     

    Tableau products affected - Upgrade immediately

    You are affected by this vulnerability if you use any of the Tableau products listed in the following table. When using SSL with Tableau, connections use OpenSSL library version 1.0.1, which exposes the vulnerability.

     

    To resolve this issue, upgrade the affected Tableau products immediately. The OpenSSL project has released a correction, OpenSSL version 1.0.1g, which Tableau has incorporated into Tableau 8.1.6 and Tableau 8.0.10. These versions are available from the Customer Portal. Tableau has also incorporated OpenSSL version 1.0.1g in the Tableau 8.2 Beta 2, which will be available from the Tableau 8.2 Beta web site.

     

    Note: Tableau Desktop is vulnerable even if it's not connecting to a Tableau Server. If your version of Tableau Desktop is listed under "Tableau Products Affected," it is strongly recommended that you upgrade it.

    Tableau productVersionExamples of vulnerabilityRecommendation
    Tableau Desktop (Professional and Personal Editions)

    8.1.0 through 8.1.5

    -Tableau Desktop connections to a Tableau Server configured for SSL. Publishing workbooks and data sources are examples of activities that can occur over SSL.

    -Tableau Desktop connections to certain cloud-based data sources. OData and Salesforce.com are examples of two data sources that require an SSL connection with Tableau Desktop.

    -Tableau Desktop dashboards that include web page objects. The included web page could reside on a server configured for SSL.

    -Tableau Desktop connections to its own start page. The page that displays when you first open Tableau Desktop has links to resources on tableausoftware.com. While the Tableau web site itself is not vulnerable, a malicious user could exploit the connection.

    -Tableau Desktop connections to custom map servers configured for SSL.

    Upgrade immediately to Tableau Desktop 8.1.6. To upgrade, go to the Downloading Tableau Products article.
    Tableau Desktop 8.2 Beta1(Same as above)Upgrade immediately to Tableau Desktop 8.2, Beta 2: http://beta.tableausoftware.com/builds.html
    Tableau Server

    8.1.0 through 8.1.5

     

    8.0.6 through 8.0.9

    -Client web browser sessions with a Tableau Server configured for SSL. When this is the case, the client browser's URL starts with https:// instead of http://.

    -Tableau Server connections to certain cloud-based data sources. Even if Tableau Server itself isn't configured for SSL, the data source may use SSL for the connection.

    Upgrade immediately

    Note: Before upgrading, review the upgrade instructions, below.

    Tableau Server 8.2 Beta1(Same as above)Upgrade immediately to Tableau 8.2, Beta 2: http://beta.tableausoftware.com/builds.html
    Tableau Desktop Public Edition8.1.0 through 8.1.5Tableau Desktop Public Edition connections to Tableau Public via SSL.Upgrade immediately to Tableau Desktop Public Edition 8.1.6. To upgrade, go to the Downloading Tableau Products article.
    Tableau Reader8.1.0 through 8.1.5Tableau Reader connections to external web pages that are included in a dashboard.Upgrade immediately to Tableau Reader 8.1.6. To upgrade, go to the Downloading Tableau Products article.

    Upgrade Tableau Desktop

    To upgrade Tableau Desktop, review the Upgrading Tableau Desktop article.

    Upgrade Tableau Server

    Before upgrading Tableau Server, complete the steps in the Pre-Upgrade Checklist article. Next, to reduce the impact to your data stored on Tableau Server, review Server Backup and Maintenance Automation. To upgrade Tableau Server, follow the steps in the Upgrading Tableau Server article.

    Also, if you upgrade a Tableau Server configured for SSL, be sure to (1) upgrade all of the Tableau products you use to the latest version, including Tableau Desktop, and then (2) replace the SSL certificates. Refer to the Obtaining an SSL Certificate for Tableau Server knowledge base article and the Configure SSL topic in the Tableau Server Help for details.

    Tableau products not affected - No action required

    You are not impacted by this vulnerability if you use the products listed in the table below.

    Tableau productVersionReasonRecommendation
    Tableau Desktop (Professional and Personal Editions)8.0.x and earlierUses a version of OpenSSL that is not vulnerable.No action required
    Tableau Server8.0.5 and earlierUses a version of OpenSSL that is not vulnerable.No action required
    Tableau Onlinen/aUses a version of OpenSSL that is not vulnerable.No action required
    Tableau Publicn/aUses a different SSL implementation; does not use OpenSSL.No action required
    Tableau Desktop Public Edition8.0.x and earlierUses a version of OpenSSL that is not vulnerable.No action required
    Tableau Reader8.0.x and earlierUses a version of OpenSSL that is not vulnerable.No action required
    Tableau Mobile app (Android and iOS)AllDoes not use OpenSSL.No action required
    www.tableausoftware.comn/aThis includes Tableau licensing servers, Tableau map servers, and website content.No action required

    Frequently Asked Questions

     

    What fix was incorporated to Tableau products to resolve the Heartbleed vulnerability?

    We incorporated the latest version of the OpenSSL library, version1.0.1g, to the affected Tableau products.

     

    Do I need to update Tableau Desktop even though I do not have Tableau Server installed?

    Yes, some drivers used by Tableau Desktop connections use SSL (HTTPS). For example, an Amazon Redshift connection uses PostgreSQL drivers that may or may not have been updated to address this vulnerability. Therefore, you could be exposed to the vulnerability by simply connecting to a data source like Amazon Redshift, even if you do not have Tableau Server installed.

     

    If Tableau Server is behind a firewall, or is part of a strictly internal deployment, do I need to worry about the Heartbleed vulnerability?

    Yes, there is always the threat of malicious internal users within an organization.

     

    Is Tableau Reader impacted?

    Yes. Because the OpenSSL library is a part of the Tableau Reader product we recommend you upgrade immediately.

     

    How bad is this Heartbleed vulnerability?

    Heartbleed is a critical security vulnerability and should be treated accordingly. The vulnerability is considered critical as exploits have already been seen in the community that show private keys can be read from memory along with passwords and other secret information. What increases the severity is this vulnerability has been live on the internet for over two years.

     

    Do I need to change my passwords and/or certificates?

    Yes, as a security best practice, Tableau recommends you regenerate your private keys, reissue certificates used for SSL communications and change any secret information (such as passwords) that might have been compromised.

     

    Is this being tracked by the security community?

    Yes, the Heartbleed vulnerability has been reported as CVE-2014-0160. CVE (common vulnerabilities and exposures) is the standard used by Mitre (http://cve.mitre.org/).

     

    Has the OpenSSL community issued a statement for this Heartbleed vulnerability?

    Yes, an advisory has been published on the OpenSSL website: https://www.openssl.org/news/secadv_20140407.txt.

    Summary of helpful links