Two Cross Site Scripting vulnerabilities in the Sun Secure Global Desktop (SSGD) software may allow a local or remote unprivileged user to execute arbitrary script commands in another user's context, potentially allowing an unprivileged remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.

Sun acknowledges, with thanks, Marc Ruef of scip AG for bringing this issue to our attention.

This issue can occur in the following releases:

SPARC Platform

• Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, 10) prior to build 4.20.983

x86 Platform

• Sun Secure Global Desktop Software 4.2 (for Solaris 10) prior to build 4.20.983

Linux Platform

• Sun Secure Global Desktop Software 4.2 prior to build 4.20.983

To determine the version of the Sun Secure Global Desktop Software running on a system, the following command can be executed on the Sun Secure Global Desktop server:

    $ <INSTALL_DIR>/bin/tarantella version
    Sun Secure Global Desktop Software for SPARC Solaris 2.8+ (4.20.983)
    Architecture code: spso0510
    This host: SunOS <SERVER NAME> 5.10 Generic_118822-25 sun4v sparc 
    SUNW,Sun-Fire-T2000

There are no predictable symptoms that would indicate the described issue has occurred.

There is no workaround for this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, 10) build 4.20.983 or later

x86 Platform

• Sun Secure Global Desktop Software 4.2 (for Solaris 10) build 4.20.983 or later

Linux Platform

• Sun Secure Global Desktop Software 4.2 build 4.20.983 or later

The latest build of Sun Secure Global Desktop Software can be downloaded for all of the above platforms from the following URL:

http://www.sun.com/download/products.xml?id=43321db9

This solution has no attachment