In response to the Heartbleed security vulnerability, we have just released new versions of Tableau Desktop and Tableau Server. Heartbleed is a critical security vulnerability in the component we use to manage secure internet connections. If interested, you can learn more about the Heartbleed vulnerability on our blog post and our knowledge base article.
Tableau Desktop
The versions of Tableau Desktop with this security vulnerability are: 8.1.0 thru 8.1.5. All desktop varieties-- Personal, Professional, Public Desktop, and Reader— are vulnerable. Prior versions of Tableau Desktop are not vulnerable.
To find out what version you have, please go to the Help menu in Tableau Desktop and choose “About Tableau.”
If you are using one of the vulnerable versions, we strongly encourage you upgrade your Tableau Desktop or related desktop varieties immediately to Tableau 8.1.6. You can download the release from either the primary customer download center or the alternate download site. Information and downloads are also available in our Release Notes.
Tableau Server
The versions of Tableau Server with this security vulnerability are: 8.0.6 thru 8.0.9, and 8.1.0 thru 8.1.5. Only instances with SSL enabled are at risk. The Tableau Server version is found on the login screen or after login as the last line of text on the left.
If you are using Tableau Server with SSL enabled for one of the vulnerable versions, we recommend contacting your system administrator to upgrade. System administrators can find links for upgrading in the knowledge base article.
If you have any questions, please feel free to reach out to our support organization or your account manager.
Regards,
Dan Jewett
Vice President of Product Management
Tableau Software
Vice President of Product Management
Tableau Software
Tableau and the Heartbleed Vulnerability
April 9, 2014 - 5:33pm
Update: We have made Tableau versions 8.1.6 and 8.0.10 available. These are the maintenance releases which contain the correction for the Heartbleed vulnerability. The releases can be downloaded from either the primary customer download center or the alternate download site. 8.0.10 is only on the alternate download site. Information and downloads are also available in our Release Notes.
By now you might have heard about the Heartbleed vulnerability. Heartbleed is a critical security vulnerability in the OpenSSL software project. OpenSSL is an extremely popular open source software component used by a substantial number of applications and services running on the internet. Tableau is one of many products that include the OpenSSL component to manage the secure communication protocol. On April 7th, the OpenSSL Project released news of the vulnerability and an update to address it.
By now you might have heard about the Heartbleed vulnerability. Heartbleed is a critical security vulnerability in the OpenSSL software project. OpenSSL is an extremely popular open source software component used by a substantial number of applications and services running on the internet. Tableau is one of many products that include the OpenSSL component to manage the secure communication protocol. On April 7th, the OpenSSL Project released news of the vulnerability and an update to address it.
The vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Servers configured for SSL and Tableau Desktop products which communicate with other servers – for example a dashboard with a web page component embedded in it which may access a remote SSL server.
The Tableau product versions with this vulnerability are:
- Tableau Server version 8.0.6 thru 8.0.9 which are configured with SSL enabled. (Prior versions of Tableau Server are not vulnerable.)
- Tableau Server version 8.1.0 thru 8.1.5 which are configured with SSL enabled.
- Tableau Desktop versions 8.1.0 thru 8.1.5. All desktop varieties: Personal, Professional, Public Desktop, and Reader are vulnerable. (Prior versions of Tableau Desktop are not vulnerable).
- The initial beta version of Tableau 8.2, both desktop and server.
We are currently in final testing of updated Tableau versions that correct this vulnerability. We are creating new versions with the latest OpenSSL (version 1.0.1g) embedded. Our target is to have the software released for customers to download Thursday evening (April 10th). We will be releasing Tableau versions 8.0.10 and 8.1.6 to correct this vulnerability.
The rest of the Tableau properties do not have exposure to the Heartbleed vulnerability. Tableau Online, Tableau Public, the Tableau corporate website, customer portal, community forums, licensing server, map server, training content and other elements that are part of our website are all clear from this vulnerability.
We strongly encourage updating all affected Tableau product versions as soon as they are available, as this vulnerability poses a significant risk. Once your upgrade is complete, we recommend SSL certificates used on Tableau Server be updated as well as changing passwords on all Tableau Server accounts.
We will announce availability of our updates via our social media channels, our Release Notes forum, and an update to this blog post. With the release we will provide additional information about the changes and notes on performing the upgrade in a Knowledge Base article.
Please click here to contact our technical support organization if you have more questions or need additional guidance on performing the upgrade.