Sun Ray Server Software 4.1Date of Resolved Release
Vulnerability in Sun Ray Server Software due to Logout Failure, see below:
When a local user logs out of a Sun Ray desktop session, the session
may log the user back in again. The user may be unaware that the
session has logged in again and is unlocked, which may allow another
user to access to the desktop session.
The issue does not occur when one locks the screen or when the
smartcard used to access a session is removed from the Sun Ray DTU.
2. Contributing Factors
This issue can occur in the following releases:
- Sun Ray Server Software 4.1 (for Solaris 10) without patch 139548-03
- Sun Ray Server Software 4.1 (for Solaris 10) without patch 139549-03
Note 1: Sun Ray Server Software 4.0 and Sun Ray Server Software 4.1 on the
Linux platform are not impacted by this issue.
Note 2: For the issue to occur, Sun Ray "Automatic Multi-Group
Hotdesking" (AMGH) feature must be enabled and supplying usernames
and one of the following must also apply:
a) "Non Smartcard Mobility" (NSCM) is not configured (i.e. non-mobile
pseudo sessions are used) and another user has physical access to the
Sun Ray DTU where the user had previously logged out.
b) Smartcards are used to access a session, and another user has
physical access to that smartcard and physical access to any Sun Ray DTU.
Upon logout, a local user is automatically logged in again.
If smartcards are not used for Sun Ray session authentication, then enable NSCM
policy and do not use smartcards. If that is not feasible, then disable Remote Hotdesk
To disable RHA, use the Admin GUI or the -D option of utpolicy(1M).
This issue is addressed in the following releases:
- Sun Ray Server Software 4.1 (for Solaris 10) with patch 139548-03
- Sun Ray Server Software 4.1 (for Solaris 10) with patch 139549-03
For more information on Security Sun Alerts, see
This solution has no attachment