Loading

Oracle NetSuite and SAP SuccessFactors connectors used in Tableau Gallery may be storing sensitive data

Date de publication: Feb 19, 2025
Description

The Oracle NetSuite and SAP SuccessFactors connectors used in Tableau Gallery may be storing the following sensitive data in your logging infrastructure:   

  • Client ID
  • Refresh Token 
  • Access Tokens

This issue could allow an individual with access to the logs the ability to leverage a user’s credentials to gain access to and extract data from Oracle NetSuite and/or SAP SuccessFactors.


 

Cause

During a recent security review of our products, we identified that certain connectors used in Tableau Gallery may be logging sensitive data into your logging infrastructure since July 22, 2021.
Résolution

To remediate this issue for your Oracle NetSuite and/or SAP SuccessFactors connectors, please take the following actions: 
 

Update the Connector

  • Tableau Desktop
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from all user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Repository/Connectors
    • Restart Tableau Desktop and install the connectors from the “Additional Connectors” section. Note: the install will force Tableau Desktop to restart.
  • Tableau Prep Builder
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from all user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Prep Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Prep Repository/Connectors
    • Download the updated cdata.netsuite_20-0-7923.taco and/or cdata.sapsuccessfactors_20-0-7923.taco from the Tableau Extension Gallery.
    • Copy the new file into the user directories:
      • Windows: C:\Users[Windows User]\Documents\My Tableau Prep Repository\Connectors
      • macOS: /Users/[user]/Documents/My Tableau Prep Repository/Connectors
    • Restart Tableau Prep.
  • Tableau Server
    • Delete the cdata.netsuite.taco and/or cdata.sapsuccessfactors.taco from the connector directory on each relevant node.
    • Download the updated cdata.netsuite_20-0-7923.taco and/or cdata.sapsuccessfactors_20-0-7923.taco from the Tableau Extension Gallery.
    • Copy the new file into the appropriate connector directories:
      • Windows: C:\ProgramData\Tableau\Tableau Server\data\tabsvc\vizqlserver\Connectors
      • Linux: /data/tabsvc/vizqlserver/Connectors

Rotate your secrets

  • Consult your Oracle NetSuite and SAP SuccessFactors source application documentation to prevent abuse of any leaked secret. Valid approaches are to either revoke permission for the impacted Client ID to connect to the system or revoked leaked refresh tokens.
  • Follow the instructions indicated by your OAuth provider to invalidate the existing Client ID and secret, then generate new ones.

​​​Purge logs and update workbook connections

Follow the steps below to remove the secrets:
  • Edit the connection properties of existing Workbooks created using the impacted versions of the connectors and resave them. By editing the authentication properties, you can remove the compromised secrets and the Workbook can be resaved. From the Data Source Tab, right-click on the source and choose “Edit Connection”  Enter new credentials and re-save.
  • Search the Tableau-generated log files for the impacted date range (July 22, 2021 to present). The secrets will appear as values for the following properties: v-oauthaccesstoken, v-oauthclientid and v-oauthclientsecret
  • On Tableau Server, use tsm maintenance commands to purge log files for the impacted date range.

Please contact Tableau Technical Support for further instructions on identifying risks, purging logs, and updating workbook connections.
Numéro d’article de la base de connaissances

001474461

 
Chargement
Salesforce Help | Article