5 Replies Latest reply on Oct 10, 2019 10:37 PM by Karthik Venkatraman

    Vulnerability Testing against Tableau Server

    Karthik Venkatraman

      Hi All,

       

      In my organization, we have a web application which uses few tableau dashboards embedded in it. We have the Tableau Server 2018.3.2. My organization wants to run vulnerability test against the Tableau Server as few of my customers access our web application. Hence I want to know whether it is possible and is it needed?

       

      They ran the vulnerability test using Qualsys on one server using the URL of my tableau server and had few observations listed below.

       

      • SSL/TLS Server supports TLSv1.0
        • I have already executed the tsm command tsm configuration set -k ssl.protocols -v "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" in the server however the report still shows it as vulnerable after executing

       

      • Birthday attacks against TLS ciphers with 64bit block size vulnerability
      • HTTP Security Header Not Detected
        • Is there a tsm command for setting the X-Frame_options for Tableau server 2018 version. It was said that only from Tableau Server 2019.3.2  this option is available
        • I have enabled the HTTP Strict Transport Security for web browser clients using the tsm configuration set -k gateway.http.hsts_options -v max-age=31536000 command.
        • However, the report is still showing as Vulnerability
      • Content-Security-Policy HTTP Security Header Not Detected
        • The gateway.http.x_xss_protection has been set to true using the tsm command
      • HTTP Public-Key-Pins Security Header Not Detected (dont have a command for this)
      • Slow HTTP POST vulnerability
      • Cookie Does Not Contain The "HTTPOnly" Attribute
      • X-Frame-Options header is not set

       

      As I have executed most of the commands that are required, the report was still showing as vulnerable. Is there anything I need to do at the Apache server level?

       

      I wanted to know how to fix these vulnerabilities and what I had done is correct. Also is it advisable to do a vulnerability testing on Tableau Server?

       

      Any help is greatly appreciated.