Tableau and the Heartbleed Vulnerability

Tableau and the Heartbleed Vulnerability

Phil Spurgeon
//

Tableau has published a post on their own site detailing how the Heartbleed Vulnerability affects the Tableau software. Whilst the security updates were released last night we thought it better to share with you the details of the vulnerability with regards to Tableau so you can update passwords within your organisations as needed. This is taken directly from the Tableau Software website:

UpdateWe have made Tableau versions 8.1.6 and 8.0.10 available. These are the maintenance releases which contain the correction for the Heartbleed vulnerability. The releases can be downloaded from either the primary customer download center or the alternate download site. 8.0.10 is only on the alternate download site. Information and downloads are also available in our Release Notes.
 
By now you might have heard about the Heartbleed vulnerability. Heartbleed is a critical security vulnerability in the OpenSSL software project. OpenSSL is an extremely popular open source software component used by a substantial number of applications and services running on the internet. Tableau is one of many products that include the OpenSSL component to manage the secure communication protocol. On April 7th, the OpenSSL Project released news of the vulnerability and an update to address it.
 

The vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Servers configured for SSL and Tableau Desktop products which communicate with other servers – for example a dashboard with a web page component embedded in it which may access a remote SSL server.

The Tableau product versions with this vulnerability are:

  • Tableau Server version 8.0.6 thru 8.0.9 which are configured with SSL enabled. (Prior versions of Tableau Server are not vulnerable.)
  • Tableau Server version 8.1.0 thru 8.1.5 which are configured with SSL enabled.
  • Tableau Desktop versions 8.1.0 thru 8.1.5. All desktop varieties: Personal, Professional, Public Desktop, and Reader are vulnerable. (Prior versions of Tableau Desktop are not vulnerable).
  • The initial beta version of Tableau 8.2, both desktop and server.

We are currently in final testing of updated Tableau versions that correct this vulnerability. We are creating new versions with the latest OpenSSL (version 1.0.1g) embedded. Our target is to have the software released for customers to download Thursday evening (April 10th). We will be releasing Tableau versions 8.0.10 and 8.1.6 to correct this vulnerability. The rest of the Tableau properties do not have exposure to the Heartbleed vulnerability. Tableau Online, Tableau Public, the Tableau corporate website, customer portal, community forums, licensing server, map server, training content and other elements that are part of our website are all clear from this vulnerability.

 

We strongly encourage updating all affected Tableau product versions as soon as they are available, as this vulnerability poses a significant risk. Once your upgrade is complete, we recommend SSL certificates used on Tableau Server be updated as well as changing passwords on all Tableau Server accounts.

 

We will announce availability of our updates via our social media channels, our Release Notes forum, and an update to this blog post. With the release we will provide additional information about the changes and notes on performing the upgrade in a Knowledge Base article.

 

Please click here to contact our technical support organization if you have more questions or need additional guidance on performing the upgrade.

 

Need Expert Help?

See Our Full Menu of Data Services

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072

×

Love our blog? You should see our emails. Sign up for our newsletter!