KNOWLEDGE BASE

Oracle NetSuite and SAP SuccessFactors connectors used in Tableau Gallery may be storing sensitive data


Published: 15 Sep 2021
Last Modified Date: 25 Sep 2021

Issue

The Oracle NetSuite and SAP SuccessFactors connectors used in Tableau Gallery may be storing the following sensitive data in your logging infrastructure:   

  • Client ID
  • Refresh Token 
  • Access Tokens

This issue could allow an individual with access to the logs the ability to leverage a user’s credentials to gain access to and extract data from Oracle NetSuite and/or SAP SuccessFactors.


 

Environment

This issue will only affect environments that use BOTH of the following beginning July 22, 2021:

1. A vulnerable connector from the Tableau Gallery:
  • Oracle NetSuite connector
  • SAP SuccessFactors connector

2. A vulnerable version of Tableau products:
  • Tableau Server 2021.2 or greater
  • Tableau Desktop 2021.2 or greater
  • Tableau Prep Builder 2021.2 or greater

Resolution

To remediate this issue for your Oracle NetSuite and/or SAP SuccessFactors connectors, please take the following actions: 
 

Update the Connector

  • Tableau Desktop
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from all user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Repository/Connectors
    • Restart Tableau Desktop and install the connectors from the “Additional Connectors” section. Note: the install will force Tableau Desktop to restart.
  • Tableau Prep Builder
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from all user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Prep Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Prep Repository/Connectors
    • Download the updated cdata.netsuite_20-0-7923.taco and/or cdata.sapsuccessfactors_20-0-7923.taco from the Tableau Extension Gallery.
    • Copy the new file into the user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Prep Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Prep Repository/Connectors
    • Restart Tableau Prep.
  • Tableau Server
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from the connector directory on each relevant node.
    • Download the updated cdata.netsuite_20-0-7923.taco and/or cdata.sapsuccessfactors_20-0-7923.taco from the Tableau Extension Gallery.
    • Copy the new file into the appropriate connector directories:
      • Windows: C:\ProgramData\Tableau\Tableau Server\data\tabsvc\vizqlserver\Connectors
      • Linux: /data/tabsvc/vizqlserver/Connectors

Rotate your secrets

  • Consult your Oracle NetSuite and SAP SuccessFactors source application documentation to prevent abuse of any leaked secret. Valid approaches are to either revoke permission for the impacted Client ID to connect to the system or revoked leaked refresh tokens.
  • Follow the instructions indicated by your OAuth provider to invalidate the existing Client ID and secret, then generate new ones.

​​​Purge logs and update workbook connections

Follow the steps below to remove the secrets:
  • Edit the connection properties of existing Workbooks created using the impacted versions of the connectors and resave them. By editing the authentication properties, you can remove the compromised secrets and the Workbook can be resaved. From the Data Source Tab, right-click on the source and choose “Edit Connection”  Enter new credentials and re-save.
  • Search the Tableau-generated log files for the impacted date range (July 22, 2021 to present). The secrets will appear as values for the following properties: v-oauthaccesstoken, v-oauthclientid and v-oauthclientsecret
  • On Tableau Server, use tsm maintenance commands to purge log files for the impacted date range.

Please contact Tableau Technical Support for further instructions on identifying risks, purging logs, and updating workbook connections.

Cause

During a recent security review of our products, we identified that certain connectors used in Tableau Gallery may be logging sensitive data into your logging infrastructure since July 22, 2021.
Did this article resolve the issue?