Title

Sun Ray Server software patches are not tested in a development environment first before deploying to production. (Cat II impact)

Discussion

Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun Microsystems. New Sun Ray Server patches and updates should be reviewed for the Sun Ray Server before moving them into a production environment. Sun Ray Server patches will be tested first in a development environment and any issues or special precautions will be documented, as a patch could technically disable all Sun Ray Desktop Units, cause unexpected performance or availability issues.

Check Content

1. Ask the IAO/SA where the test and development Sun Ray Servers are located. Access those servers and perform the following commands: # /opt/SUNWut/lib/utspatches Should return the following: 127554-02 127557-01 OR # patchadd –p | grep <patch> SRSS Patches need to be at one of the following: Solaris/SPARC 127553 Solaris/x86 127554 Linux/x86 127555 SRWC 2.0 Patches need to be at one of the following: Solaris/SPARC 127556 Solaris/x86 127557 Linux/x86 127558 If the preceding patches are not returned, this is a finding. Check Sun Microsystems’s website for updated patches that may have been released after this checklist. 2. Request from the IAO/SA for a documented procedure on how their patches are tested on a development system before using on production systems. If no procedure is provided, this is a finding.

Fix Text

Implement the latest patches for the Sun Ray system. Check Sun Microsystems’s website for updated patches that may have been released after this checklist. Create patch procedures for testing before deploying patches to the production system.

Additional Identifiers

Rule ID:

Vulnerability ID: V-16100

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.