You might want to sense check what Tableau issue on their security bulletins page to see whether the vulnerability you mention has been referenced there Security Bulletins
I can see a fix went in v10.3.3 related to Apache [Important] ADV-2017-019: Multiple CVEs fixed in Apache HTTPD 2.4.26 and there are also 2 information bulletins which indicate Tableau Server is not affected by some issues.
You can add comments to the posts on the security bulletins just as you can with these forum threads, so if you're still not sure you could reach out to the Tableau Security team that way instead.
Thank you for the super quick response Donna but worryingly the below vulnerability is not referenced??
"Significant vulnerabilities have been announced in Tomcat (CVE-2017-12615 & CVE-2017-12616) which, under the correct circumstances, will permit remote code execution and information disclosure. Both Windows and Linux platforms are in scope."
It's that serious that we are being asked to shut down anything we cannot upgrade/plug? Is this something Tableau are looking into urgently, or is there an option for us to manually upgrade the component in question until you guys have managed to address it?
Sorry to pester, but as you can imagine we are a little nervous about this.
Hey Daniel --
The product team is aware of these vulnerabilities and we're in the process of analyzing what impact (if any), they have on Tableau Server. I don't play on the security side of the house myself, but in your shoes, I'd probably open a support case as doing so helps track and prioritize work.
Hope this helps!
No worries Dan - of course you're right to be concerned. Please do what Russell suggests and open a formal case with Tableau Support.
I have opened a support case, and hopefully this will be investigated as a high priority.
I have the same issue.
Been told to upgrade tomcat on our Tableau servers for the security vulnerability.
Tomcat version for our Tableau installation is 7.0.75.
Any word from Tableau yet?
Is there any update in status on this? Just today on our 10.3.3 dev platform we started seeing some Tableau processes not functional and have traced it back to a nexpose vulnerability scanner.
1 of 1 people found this helpful
The below just hit my inbox:
I recommend following the security blog:
You'll receive all alerts as soon as they are posted.
We actually tried to expose the vulnerability ourselves but luckily DELETE's and PUT' s are disabled by default in the Tableau Apache Tomcat installation. Following Tableau's official response stating the same; we are happy that we do not need to stop the service, but have requested Tableau upgrade the Tomcat version in the next release of the server product.
Thank you all that have contributed/commented on this discussion.