Security Bulletin

Update regarding a security vulnerability resolved in Sisense V6.7.1 on May 23, 2018

Starting from Sisense V6.7, there was an issue with data security rules. This rare issue occurred only when a single dashboard contained at least two widgets from entirely disconnected tables - meaning that there was no relationship path leading from one table to the other.

If a filter was applied on one of the tables, data security rules of the second table were disabled. The widget showing data from the second table would display all data, without data security rule restrictions.

Note that the issue did not occur when a dashboard only used widgets related to a single data security field. The issue also did not occur if there was any relationship path between the tables of the data security fields. The relationship path did not have to be a direct relationship between the tables, it could be a relationship that went through other tables.

The issue is resolved in Sisense V6.7.1 (build 6.7.1.17004), and in Sisense V7.1.2.

 

Update regarding Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

The Meltdown/Spectre vulnerabilities are the recent vulnerabilities found in Intel’s processors. These are vulnerabilities in all of the Windows operating systems. Sisense provides an application and does not provide the server hardware or the Windows OS. These are provided by customers. As such, it’s the customers’ responsibility to secure their OS.

We recommend customers follow all security recommendations of the vendors who provided the customers OS. The current Windows recommendation is to install the latest available security updates for the OS. Sisense has run extensive performance tests on the OS patch (Windows patch) and found a minimal impact on performance.

For more information about these vulnerabilities and how to negate them, see:

Meltdown and Spectre: A high-level description of the vulnerabilities.

Project Zero: Describes the theory behind the vulnerabilities by those who discovered them.

Intel Official Announcement: Describes Intel’s response to the vulnerabilities.

AMD Processor Security: Describes AMD’s response to the vulnerabilities.