Tableau Server – Patching OpenSSL – HeartBleed Bug

Data

Tableau Server – Patching OpenSSL – HeartBleed Bug

A major vulnerability was recently patched in OpenSSL. Tableau Server 8.1.5 currently uses a vulnerable version OpenSSL. The patched version of OpenSSL is 1.0.1g. Here’s a quick guide on how you can perform an in-place upgrade of OpenSSL to close the security hole. Please do so at your own risk, make backup copies of the files before doing anything, and understand this may invalidate your support while the changes are in place.

This will primarily affect Tableau Server instances utilizing SSL support, but could also affect reverse proxy configurations. It is more important to patch vulnerable servers that are internet facing.

  1. Obtain updated Windows OpenSSL binaries from: http://slproweb.com/products/Win32OpenSSL.html
  2. Download the package Win32 OpenSSL v1.0.1g Light (or your desired version) to your Tableau Server
  3. Run the application, extract to a local folder and be sure to have the installer copy the DLLs to that same local folder
  4. Stop Tableau Server
  5. Make a backup copy of files libeay32.dll and ssleay32.dll in %Program Files%TableauTableau Serverapachebin
  6. Copy the libeay32.dll and ssleay32.dll files from the new local OpenSSL version folder into %Program Files%TableauTableau Serverapachebin
  7. Start Tableau Server
  8. Once Tableau is fully started, verify https is still working

OpenSSL heartbleed CVE-2014-0160 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

A useful site to check your vulnerability status: http://filippo.io/Heartbleed/

In addition to patching the security hole, please understand this is a major vulnerabilty that could have already been used to expose your private SSL key, permitting others to gain access to the encrypted data. Regeneration of private keys, reissuance of SSL certificates and changing sensitive information is a highly-recommended next step.

2014-04-10 Update: Tableau posted an official response to the blog with useful technical information at http://www.tableausoftware.com/de-de/about/blog/2014/4/tableau-and-heartbleed-vulnerability-29771 and they are targeting a release of 8.1.6 this evening, and all users should update both the desktop and server editions. This post was a quick way to deal with securing solely the built-in HTTPS endpoint that Tableau Server provides that sometimes is made internet-accessible. There are a number of other risks associated with this vulnerabilty, including client-side OpenSSL implementations if you wind up connecting to a malicious site. This can possibly come into effect when opening a Tableau dashboard in desktop that has a webpart to a compromised site. Further general reading on client-side risks can be found at http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ but bottom line, please do update both the desktop and server clients as soon as they are released.

More About the Author

Daniel Holm

Director of Enterprise Solutions
Quick Q&A: Why We Like Dell-EMC for Just About Everything IT In this edition of “Quick Q&A,” we talk about Dell-EMC with InterWorks Director of Enterprise Solutions Daniel Holm, IT ...
Testing the Beta NVIDIA RTX Audio Driver NVIDIA is always pushing the limit of what their video cards can do. However, they have now started to use the AI abilities they ...

See more from this author →

Subscribe to our newsletter

  • I understand that InterWorks will use the data provided for the purpose of communication and the administration my request. InterWorks will never disclose or sell any personal data except where required to do so by law. Finally, I understand that future communications related topics and events may be sent from InterWorks, but I can opt-out at any time.
  • This field is for validation purposes and should be left unchanged.

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072