Full Report
The Tableau Server component in Opcenter Intelligence contains multiple vulnerabilities as described below. Siemens has released a new version for Opcenter Intelligence and recommends to update to the latest version and to install the latest available version of Tableau Server as described in https://support.sw.siemens.com/knowledge-base/PL8822108.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Tableau Server Component of Opcenter Intelligence
## CVE Details
- **CVE-2023-46604**: 10.0 (Critical) | CWE-502: Deserialization of Untrusted Data
- **CVE-2022-22128**: 9.0 (Critical) | CWE-22: Path Traversal
- **CVE-2022-22127**: 7.7 (High) | CWE-287: Improper Authentication
- **CVE-2025-26494**: 7.7 (High) | CWE-918: Server-Side Request Forgery (SSRF)
- **CVE-2025-26495**: 4.9 (Medium) | CWE-312: Cleartext Storage of Sensitive Information
## Affected Systems
- **Products**: Siemens Opcenter Intelligence (incorporating Tableau Server components).
- **Versions**: All versions prior to V2501.
- **Configurations**:
- **CVE-2022-22127**: Systems using Local Identity Store for user management.
- **CVE-2023-46604**: Systems using Java-based OpenWire brokers/clients (Apache ActiveMQ).
- **CVE-2025-26494**: Affects Tableau Server versions 2023.3 through 2023.3.5.
## Vulnerability Description
The Siemens Opcenter Intelligence platform utilizes Tableau Server, which is affected by several critical flaws:
- **Remote Code Execution (RCE)**: CVE-2023-46604 allows attackers to run arbitrary shell commands via the OpenWire protocol by manipulating serialized class types. CVE-2022-22128 allows RCE via a path traversal flaw in the Administration Agent's internal file transfer service.
- **Access Control/Authentication Bypass**: CVE-2022-22127 allows site administrators to change passwords for users in different sites (Broken Access Control). CVE-2025-26494 (SSRF) can lead to authentication bypass.
- **Information Disclosure**: CVE-2025-26495 records Personal Access Tokens (PAT) in cleartext within logging repositories.
## Exploitation
- **Status**: Not specified as "in the wild" in advisory, but CVE-2023-46604 (ActiveMQ) is a widely known vulnerability with public PoCs.
- **Complexity**: Low (CVE-2023-46604, CVE-2025-26494) to High (CVE-2022-22128, CVE-2022-22127).
- **Attack Vector**: Network (for most); Adjacent (specifically for the Opcenter implementation of CVE-2023-46604).
## Impact
- **Confidentiality**: High (Unauthorized data access and credential exposure).
- **Integrity**: High (Arbitrary command execution and password modification).
- **Availability**: High (Potential for system-wide compromise and service disruption).
## Remediation
### Patches
- **Opcenter Intelligence**: Update to **V2501** or later.
- **Tableau Server**: In tandem with the Opcenter update, install the latest available version of Tableau Server as directed in the Siemens Knowledge Base article PL8822108.
### Workarounds
- No specific software workarounds provided. Siemens recommends following "General Security Recommendations" to restrict network access.
## Detection
- **Indicators of Compromise**: Monitor for unusual shell command execution via Java processes (ActiveMQ/OpenWire). Check logs for unauthorized password change events across different site contexts.
- **Detection methods**: Audit logging repositories for cleartext Personal Access Tokens (PAT). Use network monitoring to detect unauthorized OpenWire traffic on non-standard ports.
## References
- Siemens Security Advisory SSA-246355: hxxps://cert-portal.siemens.com/productcert/pdf/ssa-246355.pdf
- Siemens Solution/KB: hxxps://support.sw.siemens.com/knowledge-base/PL8822108
- Tableau RCE Advisory (ActiveMQ): hxxps://kb.tableau.com/articles/Issue/remote-code-execution-rce-vulnerability-impacting-apache-activemq-clients
- Operational Guidelines for Industrial Security: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security