Skip to main content
Skyhigh Security

Secure Web Gateway 11.2.x Release Notes

New Features in the 11.2 Release

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

NOTE: Secure Web Gateway 11.2 is provided as a main release.

For information about how to install this release, see the Upgrading to a New Version - Controlled Release. If you are installing the Secure Web Gateway appliance software for the first time, see Installing Secure Web Gateway for the First Time.

New Properties for Web Policy Rules 

When configuring rules for your web policy, you can use these new items:

  • A new property to expose encrypted archive directory listings.
  • A new property to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.

GTI Data Included in Feedback File 

Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.

TCP Dump Options Enhanced 

TCP dump options have been enhanced by adding a packet tracing feature.

More Flexibility for HTTP Proxy Port Configuration 

When configuring an HTTP Proxy Port, you can disable the Enable FTP over HTTP option. The option is enabled by default.

SSL Tap Configuration Enhanced 

 The following enhancements have been added to SSL Tap configuration:

  • The destination port number is not overwritten by default when tapped packets are created.
  • The destination MAC address can be customized when tapped packets are broadcast.
  • SSL tapping now supports HTTP2 on Secure Web Gateway.

Detection of Excel 4 Macros Added 

Excel 4 macros are now detected in media type filtering. 

IP Spoofing Supported for HTTP(S) in Proxy Configuration 

IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

Resolved issues in update 11.2.3 

This release resolves known issues.

For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 11.x Known Issues (KB94979).

NOTE: Secure Web Gateway 11.2.3 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Web filtering    
Reference Description  
WP-4578 An issue with eml files, which were getting blocked due to an underscore in the message header, has been resolved.  
WP-4605 PDF files that are submitted to an electronic signature platform do not get blocked anymore by a Block Encrypted Types rule, as the user key is correctly detected now.  
WP-4864 Web policies are no longer invalidate because of a CTD removal that had happened.  
WP-4887 Opening a document of the application/postscript media type no longer results in false as a value for the MediaTypeHasOpener property after this media type was added to the list of media types than can be handled by the File Opener on Secure Web Gateway.  
WP-4922 An issue with high memory usage that occurred with the UCE container on Secure Web Gateway due to an endless loop in excel4 macro media type detection has been resolved.  
Network communication     
Reference Description
WP-4835 Exceptions that had been entered in the Port Redirection table based on IP addresses are working as expected for the Transparent Bridge mode.
WP-4931 Checking lists with revoked certificates does not fail anymore, which had happened due to a browser error.
Other     
Reference Description
WP-4937 A failure of the SaaS Connector on Secure Web Gateway does not occur anymore.
WP-4465 Tomcat has been upgraded from version 7.x to version 9.x

Announced Vulnerabilities       

Reference Description

WP-3750,WP-4871

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-23307, 
    CVE-2022-23305,
    CVE-2022-23302 
  • CVE-2022-37434 - There is a Low impact, needs physical system access for successful exploitation.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in Update 11.2.2 

This release resolves known issues.

For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 11.x Known Issues (KB94979).

NOTE: Secure Web Gateway 11.2.2 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Other     
Reference Description
WP-4767 Resolved SWG not processing traffic issue when used along with HSM , due to threads hanging in critical section lock.
WP-4813 Alerts related to HSM keys containing control characters are escaped (‘%’ replaced with ‘/’) to resolve Alert Page disappear issue.
WP-4833 Secure Web Gateway on-prem forwards all requests with X-SWEB headers to Secure Web Gateway cloud again.
WP-4836 The client_ip field in the access log for Secure Web Gateway cloud no longer omits the IP address of Secure Client Proxy.
WP-4839 The AOLE2 Opener used for opening Microsoft Office files does not crash anymore.

Announced Vulnerabilities       

Reference Description

WP-4801, WP-4802, WP-4834, WP-4841

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2020-10663 - There is no impact on SWG. The ruby core of SWG does not use this library to parse/process JSON data, so there is no input vector available for exploitation.
  • CVE-2021-31799 - There is no impact on SWG. Since package is used to generate documentation and is therefore not installed on customer environments.
  • CVE-2020-26116 - There is no impact on SWG, since Python is not in use for normal SWG functioning.
    CVE-2020-26137
    CVE-2022-0391
  • CVE-2022-34169 - There is no impact. SWG does not load untrusted code.
    CVE-2022-25647
    CVE-2022-21541
    CVE-2022-21540
    CVE-2022-21549 

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in Update 11.2.1 

This release resolves known issues.

For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 11.x Known Issues (KB94979).

NOTE: Secure Web Gateway 11.2.1 is provided as a controlled release.       

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference column.

End of Life: Web Hybrid Legacy Settings

The Web Hybrid Legacy settings are no longer available for configuring an appliance system.

 Announced Vulnerabilities      

Reference Description

WP-4619, WP-4723, WP-4731, WP-4733, WP-4762, WP-4766, WP-4781 

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-21476 - There is no impact on SWG because no untrusted Java code is loaded.
    CVE-2022-21496
    CVE-2022-21434
    CVE-2022-21426
    CVE-2022-21443
  • CVE-2022-24903 - There is no impact on SWG because as it is not configured to be a receiver by default.
  • CVE-2022-2310 - For Impact details, see Security Bulletin SB10384.
  • CVE-2022-2068 - There is no impact. Affected script is not shipped by default on customer instances.
  • CVE-2022-34914 - There is a critical impact. Immediate upgrade is strongly recommended. 
  • CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
  • CVE-2022-2097 - There is a Low impact, since vulnerability only affects 32bit implementation and does not affect TLS.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in the 11.2 Release 

This release resolves known issues.

For a list of issues that are currently known, but not resolved yet, see Secure Web Gateway 11.x Known Issues (KB94979).

NOTE: Secure Web Gateway 11.2 is provided as a main release.       

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

JIRA issue numbers are provided in the reference columns.

Network communication    
Reference Description
WP-1590 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-3343 IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.
WP-3953 SWG can be configured to retain the destination port number when tapped packets are created.
WP-4145 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-4370 SSL tapping now supports HTTP2 on Secure Web Gateway.
WP-4396 The destination MAC address can be customized when tapped packets are broadcast.
WP-4443 User can disable the option Enable FTP over HTTP option when configuring an HTTP Proxy Port. This option is enabled by default.
WP-4447 A new property is added to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.
WP-4451 The Bond interface is brought up with the appliance and Static Routes settings are restored correctly after a full restore of Web Gateway.
WP-4541 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4558 When the data threshold of 10 GB is reached on an ICAP connection, the connection is shut down to avoid overload issues.
WP-4559 Memory can be reserved for advance usage while reading messages on Secure Web Gateway, so the length of the response is already known early, which avoids memory reallocation.
WP-4560 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4566 Copying of files has been improved.
WP-4646 An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved.
WP-4674 Trigger of execution of the Hybrid policy is working fine.
Other    
Reference Description
WP-2952 User cannot DOWNLOAD and DELETE the files without Troubleshooting rights via REST Interface.
WP-3990 Excel 4 macros are now detected in media type filtering.
WP-4134 A password for an update proxy user is escaped properly again, after this had not worked and caused yum to treat the user name as the name of the proxy server.
WP-4238 The rule in the script filter rule set that removes ActiveX objects from Javascript is working fine now
WP-4245 An admin user can again log onto Web Gateway using NTLM authentication successfully
WP-4285 A new property is added to expose encrypted archive directory listings.
WP-4331 A 502 error that occurred when working with the AWS admin page has been resolved.
WP-4350 A URL path encoding issue that involved subscribed lists has been resolved.
WP-4351 A table without a header is no longer recognized erroneously as application/x-compressed-arc.
WP-4362 The Secure Web Gateway rule set for file scanning scans nested archives files now that caused issues before.
WP-4428 Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.
WP-4429 TCP dump options has been enhanced by adding a packet tracing feature.
WP-4440 An admin user can again log onto Web Gateway using NTLM authentication successfully
WP-4444 Files are no longer detected as missing for Web Gateway nodes because of incorrect reference handling.
WP-4450 The mwg-snmp.service unit is available again now after a reboot of Web Gateway.
WP-4459 File scanning now extracts text from PDFs, which had failed before, as the scanning process went into a loop causing CPU consumption to reach 100%.
WP-4518 High memory usage on a Web Gateway appliance does not occur anymore
WP-4556 Coordinator crashes that led to a shutdown on a Secure Web Gateway appliance do not occur anymore.
WP-4567 The SmartCache default size value has been increased from 100 to 1000 MB
WP-4584 Response time for CStorageJob backup and restore activities has been improved.
WP-4650 Random f.txt file downloaded on Chrome\Edge browsers do not occur anymore.
Vulnerabilities      
Reference Description
WP-4347,
WP-4408,
WP-4416,
WP-4432,
WP-4454,
WP-4547,
WP-4554,
WP-4591,
WP-4598,
WP-4621

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2021-41617
  • CVE-2021-4008
  • CVE-2021-4009
  • CVE-2021-4010
  • CVE-2021-4011
  • CVE-2022-23990
  • CVE-2022-23852
  • CVE-2022-45960
  • CVE-2022-22822
  • CVE-2022-22823
  • CVE-2022-22824
  • CVE-2022-22825
  • CVE-2021-46143
  • CVE-2022-22826
  • CVE-2022-22827
  • CVE-2022-25236
  • CVE-2022-25235
  • CVE-2022-25315
  • CVE-2022-1254
  • CVE-2022-24407
  • CVE-2022-0778
  • CVE-2018-25032
  • CVE-2022-1271
  • CVE-2022-1292

For more information about these CVEs and their impact, see the Red Hat CVE portal.

  • Was this article helpful?