Update: We have made Tableau versions 8.1.6 and 8.0.10 available. These are the maintenance releases which contain the correction for the Heartbleed vulnerability. The releases can be downloaded from either the primary customer download center or the alternate download site. 8.0.10 is only on the alternate download site. Information and downloads are also available in our Release Notes.
By now you might have heard about the Heartbleed vulnerability. Heartbleed is a critical security vulnerability in the OpenSSL software project. OpenSSL is an extremely popular open source software component used by a substantial number of applications and services running on the internet. Tableau is one of many products that include the OpenSSL component to manage the secure communication protocol. On April 7th, the OpenSSL Project released news of the vulnerability and an update to address it.
The vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Servers configured for SSL and Tableau Desktop products which communicate with other servers – for example a dashboard with a web page component embedded in it which may access a remote SSL server.
The Tableau product versions with this vulnerability are:
- Tableau Server version 8.0.6 thru 8.0.9. UPDATE: we had previously stated that the vulnerability applies only to versions which are configured with SSL enabled, but all software with these versions are vulnerable. (Prior versions of Tableau Server are not vulnerable.)
- Tableau Server version 8.1.0 thru 8.1.5. UPDATE: we had previously stated that the vulnerability applies only to versions which are configured with SSL enabled, but all software with these versions are vulnerable.
- Tableau Desktop versions 8.1.0 thru 8.1.5. All desktop varieties: Personal, Professional, Public Desktop, and Reader are vulnerable. (Prior versions of Tableau Desktop are not vulnerable).
- The initial beta version of Tableau 8.2, both desktop and server.
We are currently in final testing of updated Tableau versions that correct this vulnerability. We are creating new versions with the latest OpenSSL (version 1.0.1g) embedded. Our target is to have the software released for customers to download Thursday evening (April 10th). We will be releasing Tableau versions 8.0.10 and 8.1.6 to correct this vulnerability.
The rest of the Tableau properties do not have exposure to the Heartbleed vulnerability. Tableau Online, Tableau Public, the Tableau corporate website, customer portal, community forums, licensing server, map server, training content and other elements that are part of our website are all clear from this vulnerability.
We strongly encourage updating all affected Tableau product versions as soon as they are available, as this vulnerability poses a significant risk. Once your upgrade is complete, we recommend SSL certificates used on Tableau Server be updated as well as changing passwords on all Tableau Server accounts.
We will announce availability of our updates via our social media channels, our Release Notes forum, and an update to this blog post. With the release we will provide additional information about the changes and notes on performing the upgrade in a Knowledge Base article.
Please click here to contact our technical support organization if you have more questions or need additional guidance on performing the upgrade.