CVE-2022-22127
📋 TL;DR
This vulnerability allows a malicious Tableau Server site administrator to change passwords for users in different sites hosted on the same server when using Local Identity Store. This could lead to unauthorized access to sensitive data. Only Tableau Server customers using Local Identity Store for user management are affected.
💻 Affected Systems
- Tableau Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
A compromised site administrator could reset passwords for all users across all sites, gaining unauthorized access to sensitive business intelligence data and potentially exfiltrating or manipulating critical information.
Likely Case
A malicious insider with site administrator privileges could access data from other sites they shouldn't have access to, potentially exposing confidential business data or personal information.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized password resets that can be detected and reversed before significant damage occurs.
🎯 Exploit Status
Exploitation requires site administrator privileges. The vulnerability involves broken access control within the Tableau Server administration interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4
Vendor Advisory: https://help.salesforce.com/s/articleView?id=000365493&type=1
Restart Required: Yes
Instructions:
1. Download the latest Tableau Server version from the official Tableau website. 2. Follow Tableau's upgrade documentation for your specific version. 3. Apply the update to all Tableau Server nodes. 4. Restart Tableau Server services.
🔧 Temporary Workarounds
Restrict Site Administrator Privileges
allLimit the number of site administrators and implement strict access controls. Only grant site administrator privileges to trusted personnel who require access to all sites.
Implement External Identity Provider
allMigrate from Local Identity Store to an external identity provider (like Active Directory, LDAP, or SAML) which may not be affected by this vulnerability.
🧯 If You Can't Patch
- Implement strict monitoring of password reset activities in Tableau Server logs
- Enforce least privilege access and regularly audit site administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check Tableau Server version via Tableau Server Administration UI or command line. If using Local Identity Store and version is 2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 or earlier, you are vulnerable.Check Version:
tabadmin version (Linux) or tableau-server-version (Windows)Verify Fix Applied:
Verify Tableau Server version is updated beyond affected versions and test that site administrators cannot change passwords for users in other sites.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset activities by site administrators
- Password reset attempts for users in different sites
- Failed login attempts followed by password resets
Network Indicators:
- Unusual authentication patterns from site administrator accounts
- Access to data from sites not normally accessed by the administrator
SIEM Query:
source="tableau_server" AND (event_type="password_reset" OR event_type="user_modified") AND target_user_site != admin_user_site