Following developments with the Apache Log4j vulnerabilities, updated advice and recommendations can be found here. The information below is no longer up to date and will not provide full mitigation for the vulnerabilities.
What is the Apache Log4j vulnerability and what are the risks?
A Java vulnerability in Log4J2 that allows for remote code execution on the host and the potential for loss of control of the system has been identified as impacting Tableau products.
We have a detailed overview of the issue and the security risks it can pose to Tableau users in our blog post here.
What recommendations have Tableau provided to mitigate the Log4j vulnerability?
Following the identification of the security flaw within Apache Log4J2, Tableau have provided two options to address the risk:
- Upgrade to the the latest maintenance release for every Tableau product – Option 1 in this KB article
- Implement a temporary security change – Option 2 in this KB article
What Tableau products do these fixes apply to?
The primary recommendation is to upgrade all products to the latest maintenance version available. An updated maintenance version is available for all product versions for 2020.4 and above:
- Tableau Server (versions 2020.4 and above)
- Tableau Desktop (versions 2020.4 and above)
- Tableau Prep (versions 2021.4)
- Tableau Bridge (versions 2021.4)
- Tableau Reader
A secondary recommendation can be used as a temporary fix instead of upgrading to the latest version, but as this is temporary the aim should be to upgrade products when possible. This secondary recommendation applies only to the following products:
- Tableau Server on Windows
- Tableau Server on Linux
- Tableau Desktop on Windows
- Tableau Desktop on MacOS
- Tableau Prep on Windows
- Tableau Prep on MacOS
- Tableau Bridge on Windows
Continue to monitor the official announcements from Salesforce on this issue here: https://status.salesforce.com/generalmessages/826
Test for Breaches in your current Server Deployment
Before performing an upgrade on your Tableau Server it is important to validate if the Tableau environments have already been compromised by the Apache Log4j vulnerability. Please see our blog post here for more details on monitoring for breaches.
If you find confirmation that your system has been compromised then we advise you to consider shutting down your server and setting up a new instance, followed by installing a fresh version of Tableau Server and using your backups to restore your environment. Additionally, it is worth considering using a backup from prior to the 10th December 2021 when the issue was identified.
Implement the maintenance patch for all Tableau products
Due to the high risk associated with this security flaw, it is recommended that you upgrade all Tableau Products as soon as is feasible or implement mitigation steps as described in option 2 of the above knowledge base article.
The latest maintenance release for Tableau Server versions can be found here:
- Tableau Server v2020.4
- Tableau Server v2021.1
- Tableau Server v2021.2
- Tableau Server v2021.3
- Tableau Server v2021.4
The latest maintenance release for Tableau Desktop versions can be found here:
- Tableau Desktop v2020.4
- Tableau Desktop v2021.1
- Tableau Desktop v2021.2
- Tableau Desktop v2021.3
- Tableau Desktop v2021.4
The latest maintenance release for Tableau Prep versions can be found here:
The latest maintenance release for Tableau Bridge versions can be found here:
The latest version for Tableau Reader can be found here:
If you are running Tableau Products on v2020.3 or prior then this version is no longer under Tableau Support Maintenance, and to make use of this security patch you will need to upgrade to v2020.4 or above. Alternatively, you can implement the temporary fix (Option 2) for your Tableau Server environments while you plan an upgrade path.
Frequently asked questions
What version of the Apache patch is included in the new maintenance release?
Currently the version included in the maintenance releases is v2.15. This patch addresses the vulnerability that can result in remote code execution on the server which can pose a high security risk. A subsequent maintenance release of Tableau products may utilise v2.16 which accounts for a potential risk to Denial of Service attacks in custom implementations of Log4j. We are waiting on confirmation from Tableau as to the next steps for this. As there is no confirmed date for a subsequent release we recommend patching your servers with the currently available maintenance releases.
We do not use Tableau Server, should I still take steps?
Yes, we recommend that you take appropriate steps for any Tableau products that you have in use within your organisation such as Desktop, Prep, Bridge or Public.
How can I prepare for a Tableau Server upgrade?
What are the steps in performing a Tableau Server upgrade?
Tableau provides a flow chart describing the key steps in performing an upgrade to your servers. The help page for Tableau Server versions 2018.2 and above for Windows servers can be found here, and for Linux servers can be found here.
How can I troubleshoot a failed Tableau Server upgrade?
If an upgrade fails it can impact any subsequent upgrade attempt. In these situations it is possible to use Tableau’s Obliterate Script to remove the failed installation to allow you to perform a fresh install and restore. Documentation on the Obliterate Script can be found here for Windows server and here for Linux servers.
Important Note – ensure you have a safe copy saved in location separate from your Tableau environment for the data backup (backup.tsbak) and the configuration backup (settings.json) as well as any secondary files and user account details that are required to fully recover your system before initiating the upgrade or obliterate process.