Heartbleed

Thursday, September 25, 2014 Veronica Comper




IF YOU OR YOUR ORGANIZATION USES TABLEAU, YOU MAY BE AFFECTED BY THE CVE-2014-0160 (HEARTBLEED) SECURITY VULNERABILITY.
Heartbleed is a critical security vulnerability in the OpenSSL library (version 1.0.1). OpenSSL is an open source software that is used by many websites and software products, including some Tableau products.
The Heartbleed vulnerability allows a remote attacker to read client or server application memory. This can allow for encryption keys to be read, which can enable the decrypting of data obtained by intercepting traffic. For example, passwords or other sensitive data could be accessed. Tableau’s Desktop products use OpenSSL to negotiate the security protocol from the server to the desktop, including both Tableau Server configured for SSL and Tableau Desktop products that communicate with other servers. For example a dashboard with a web page component embedded in it may access a remote SSL-enabled server.

TABLEAU PRODUCTS AFFECTED - UPGRADE IMMEDIATELY
You are affected by this vulnerability if you use any of the Tableau products listed in the following table. When using SSL with Tableau, connections use OpenSSL library version 1.0.1, which exposes the vulnerability.
To resolve this issue, upgrade the affected Tableau products immediately. The OpenSSL project has released a correction, OpenSSL version 1.0.1g, which Tableau has incorporated into Tableau 8.1.6 and Tableau 8.0.10. These versions are available from the Customer Portal. Tableau has also incorporated OpenSSL version 1.0.1g in the Tableau 8.2 Beta 2, which will be available from the Tableau 8.2 Beta web site.
Note: Tableau Desktop is vulnerable even if it’s not connecting to a Tableau Server. If your version of Tableau Desktop is listed under “Tableau Products Affected,” it is strongly recommended that you upgrade it.