Dear customers,
as you probably already know, a vulnerability has been found in the logging component Log4j 2 used by Apache:
According to current knowledge, your Tableau Software products are affected by this. Tableau Server in particular uses this component to generate log files.
Tableau and/or Salesforce are currently investigating the issue with the highest priority and have temporarily removed all product downloads (including Tableau Desktop) from the Tableau website.
What to do now?
Point 1: We currently recommend our customers who have access to Tableau Server on the Internet to prevent external access to Tableau and, if necessary, to make it accessible only from the local network. In particularly security-critical cases, Tableau Server can be shut down to completely eliminate any risk of attack.
Point 2: We recommend monitoring your network more intensively. Your server could be vulnerable or already affected. Therefore, it is recommended to regularly scan the system and view the logs to identify any code that may have been introduced.
Point 3: We also recommend that our customers who only run Tableau Server on a local network (i.e. not accessible on the Internet) monitor the network.
Point 4: The products Tableau Desktop and Tableau Prep as well as Tableau Reader are also affected by this vulnerability, as for these tools the following two Java packages are used in conjunction with the Log4j component:
jdbcserver.jar
oauthservice.jar
In our opinion, the risk to client environments is manageable, as clients systems are usually not a permanent target. Nevertheless, Tableau Desktop or Tableau Prep should only be run in a protected environment and, like Tableau Server, should only be used on the corporate network with sensitive information.
Point 5: Currently, we cannot yet recommend a method that at least temporarily fixes the vulnerability or renders it unusable. As soon as we know of a secure method, we will inform you.
We also recommend that you regularly check the status at Tableau/Salesforce:
Your M2 Team
Phone: +49 (0)30 20 89 87 010
info@m2dot.com · M2@Facebook · M2@Twitter · M2@LinkedIn · M2@Instagram