If you find confirmation that your system has been compromised then we advise you to consider shutting down your server and setting up a new instance, followed by installing a fresh version of Tableau Server and using your backups to restore your environment. Please see our blog post here for more details on monitoring for breaches. Test for Breaches in your current Server Deploymentīefore performing an upgrade on your Tableau Server it is important to validate if the Tableau environments have already been compromised by the Apache Log4j vulnerability.
Recommended actions Official announcementsĬontinue to monitor the official announcements from Salesforce on this issue here: The application of the temporary security fix (Option 2) may not provide mitigation on versions prior to v2020.4. If you are running Tableau Products on v2020.3 or prior then this version is no longer under Tableau Support Maintenance, and to make use of this security patch you will need to upgrade to v2020.4 or above. The latest version for Tableau Public Desktop can be found here: The latest version for Tableau Reader can be found here: The latest maintenance release for Tableau Bridge versions can be found here: The latest maintenance release for Tableau Prep versions can be found here: The latest maintenance release for Tableau Desktop versions can be found here: The latest maintenance release for Tableau Server versions can be found here: Implement a temporary security change – Option 2 in this KB articleĭue to the high risk associated with this security flaw, it is recommended that you upgrade all Tableau Products as soon as is feasible or implement mitigation steps as described in option 2 of the above knowledge base article.Upgrade to the the latest maintenance release for every Tableau product – Option 1 in this KB article.
While upgrading is the recommended path, there is a second option provided to implement a temporary security change to mitigate the vulnerability. īy updating to the product releases from December 19, 2021, you are addressing the security issues currently identified in CVE-2021-44228 & CVE-2021-45046. The December 19th, 2021 Tableau Product releases have integrated the log4j 2.16 release, which disables JNDI Lookup by default.
To address this new vulnerability, on Sunday, December 19th Tableau released a new maintenance patch and updated instructions for how to mitigate against the risk. As the security analysis of issues related to Apache Log4J2 continues there has been a new vulnerability identified by Apache.