A major vulnerability was recently patched in OpenSSL. Tableau Server 8.1.5 currently uses a vulnerable version OpenSSL. The patched version of OpenSSL is 1.0.1g. Here’s a quick guide on how you can perform an in-place upgrade of OpenSSL to close the security hole. Please do so at your own risk, make backup copies of the files before doing anything, and understand this may invalidate your support while the changes are in place.
This will primarily affect Tableau Server instances utilizing SSL support, but could also affect reverse proxy configurations. It is more important to patch vulnerable servers that are internet facing.
- Obtain updated Windows OpenSSL binaries from: http://slproweb.com/products/Win32OpenSSL.html
- Download the package Win32 OpenSSL v1.0.1g Light (or your desired version) to your Tableau Server
- Run the application, extract to a local folder and be sure to have the installer copy the DLLs to that same local folder
- Stop Tableau Server
- Make a backup copy of files libeay32.dll and ssleay32.dll in %Program Files%TableauTableau Server
- Copy the libeay32.dll and ssleay32.dll files from the new local OpenSSL version folder into %Program Files%TableauTableau Server
- Start Tableau Server
- Once Tableau is fully started, verify https is still working
OpenSSL heartbleed CVE-2014-0160 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
A useful site to check your vulnerability status: http://filippo.io/Heartbleed/
In addition to patching the security hole, please understand this is a major vulnerabilty that could have already been used to expose your private SSL key, permitting others to gain access to the encrypted data. Regeneration of private keys, reissuance of SSL certificates and changing sensitive information is a highly-recommended next step.
2014-04-10 Update: Tableau posted an official response to the blog with useful technical information at http://www.tableausoftware.com/de-de/about/blog/2014/4/tableau-and-heartbleed-vulnerability-29771 and they are targeting a release of 8.1.6 this evening, and all users should update both the desktop and server editions. This post was a quick way to deal with securing solely the built-in HTTPS endpoint that Tableau Server provides that sometimes is made internet-accessible. There are a number of other risks associated with this vulnerabilty, including client-side OpenSSL implementations if you wind up connecting to a malicious site. This can possibly come into effect when opening a Tableau dashboard in desktop that has a webpart to a compromised site. Further general reading on client-side risks can be found at http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ but bottom line, please do update both the desktop and server clients as soon as they are released.