You might want to sense check what Tableau issue on their security bulletins page to see whether the vulnerability you mention has been referenced there Security Bulletins
I can see a fix went in v10.3.3 related to Apache [Important] ADV-2017-019: Multiple CVEs fixed in Apache HTTPD 2.4.26 and there are also 2 information bulletins which indicate Tableau Server is not affected by some issues.
You can add comments to the posts on the security bulletins just as you can with these forum threads, so if you're still not sure you could reach out to the Tableau Security team that way instead.
Thank you for the super quick response Donna but worryingly the below vulnerability is not referenced??
"Significant vulnerabilities have been announced in Tomcat (CVE-2017-12615 & CVE-2017-12616) which, under the correct circumstances, will permit remote code execution and information disclosure. Both Windows and Linux platforms are in scope."
It's that serious that we are being asked to shut down anything we cannot upgrade/plug? Is this something Tableau are looking into urgently, or is there an option for us to manually upgrade the component in question until you guys have managed to address it?
Sorry to pester, but as you can imagine we are a little nervous about this.
Hey Daniel --
The product team is aware of these vulnerabilities and we're in the process of analyzing what impact (if any), they have on Tableau Server. I don't play on the security side of the house myself, but in your shoes, I'd probably open a support case as doing so helps track and prioritize work.
Hope this helps!
No worries Dan - of course you're right to be concerned. Please do what Russell suggests and open a formal case with Tableau Support.
I have opened a support case, and hopefully this will be investigated as a high priority.
I have the same issue.
Been told to upgrade tomcat on our Tableau servers for the security vulnerability.
Tomcat version for our Tableau installation is 7.0.75.
Any word from Tableau yet?
Is there any update in status on this? Just today on our 10.3.3 dev platform we started seeing some Tableau processes not functional and have traced it back to a nexpose vulnerability scanner.
1 of 1 people found this helpful
The below just hit my inbox:
I recommend following the security blog:
You'll receive all alerts as soon as they are posted.
We actually tried to expose the vulnerability ourselves but luckily DELETE's and PUT' s are disabled by default in the Tableau Apache Tomcat installation. Following Tableau's official response stating the same; we are happy that we do not need to stop the service, but have requested Tableau upgrade the Tomcat version in the next release of the server product.
Thank you all that have contributed/commented on this discussion.
In the original post, it is stated, "Apache Tomcat will be updated to a later version in a future maintenance release". What is the current status of the Tomcat as bundled with Tableau Server 2018.2? How do we determine the version of Tomcat being bundled and whether that is beyond the cited vulnerabilities?
1 of 1 people found this helpful
C:\Program Files\Tableau\Tableau Server\packages\tomcat.<Version>\RELEASE-NOTES
That'll tell you the version.
Yup, That works. Way too easy when you know where to find it. Thank you. So for all who are wondering, Tableau Server 2018.2.3 comes bundled with Tomcat 184.108.40.206. Apache advertises this version has the fix for the vulnerabilities, listed above. Also, check out this blog (java - how to find out running tomcat version - Stack Overflow ). You can run the following commands to get the Tomcat version output:
\java.exe" -cp catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/7.0.82
Server built: Nov 17 2017 22:35:24 UTC
Server number: 220.127.116.11
and to answer your question about 2018.2.0 - that uses Tomcat 7.0.82 - which is beyond te impacted version numbers for both of the CVE's.