Secure Web Gateway 10.2.x Release Notes

What's new in the 10.2 release

Releases can introduce new features and enhancements or update platform support.

Improvements for Proxy HA mode

Several options are now available that allow for improved performance and handling when running Secure Web Gateway in Proxy High Availability (Proxy HA) network mode.

An inactivity timeout, a load balancing algorithm, and sticky sessions can be configured, as well as egress IP addresses to increase the number of simultaneously active connections to cluster nodes scanning web traffic.
Filtering traffic coming in under the SOCKS protocol is supported.

For more information, see the Proxy HA mode section of the Secure Web Gateway Product Guide.

More protocol versions for secure ICAP

Different versions of the TLS and SSL protocols can now be selected when running Web Gateway in a secure ICAP server configuration.

For more information, see the ICAP server section of the Secure Web Gateway Product Guide.

Property for troubleshooting ATD issues

The Antimalware.MATD.Error.MessageDetails string-type property has been added to the list of properties for use in web security rules. It provides details of an Advanced Threat Defense error message, such as timeouts, missing values, or network problems.

For more information, see the Properties - A section of the Secure Web Gateway Product Guide.

More media types detected

More media types are detected by the functions for media type filtering on Web Gateway, including:

Visio files with the following extensions: vsdm, vsdx, vssm, vssx, vstm, vstx
CAD files

More efficiency in internal processing

Several internal processes have been improved on Web Gateway as follows.
For users working with the WebSwing version of the user interface, the individual IP addresses of their client systems are recorded in the audit log when requests come in from these clients. The common 127.0.0.1 address is no longer in use here.

This address had been logged for all users due the role as a remote desktop that WebSwing took from the point of view of the Java user interface.

A commercial WebSwing version has also been implemented to overcome some limitations of the open source versions.

More efficient methods of identifying customers, clients, and connections involved in issues that occurred are now used when reading core files stored in a temp folder.
Some enhancements have been implemented for the consistency checking tool, which identifies unused settings and lists on Web Gateway.
The feedback file that is evaluated on the master node in a cluster of Web Gateway appliances now provides the current version of the appliance software for each cluster node.
Processing lists with entries in Regex format performs better due to an improvement of the diagnostic tool.

What's new in update 10.2.1

This release introduces several enhancements.

SmartMatch optimization

Performance has been optimized for SmartMatch lookups by improving the way lists are handled when searching for matches.

Kerberos authentication with improved logging

When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.

Handling of HTTP2 statistics improved

HTTP2 statistics, which are also shown on the Secure Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.

Known Issues and their Patches

For a list of issues that are currently known, see the table below.


SWG 10.2.15	SWG 10.2.14	Issue: 10.2.14 uses an updated version of Tomcat. This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication." This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page). Detailed information about client certificate authentication can be found on the SWG documentation page. NOTE: Most current browsers don't support Java Applets. The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life. You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log: [ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint
SWG 10.2.2	SWG 10.2.1	Reference number- WP-4043 Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works. The following setting is disabled: Accounts > Administrator accounts are managed externally If you enable the setting and save changes, it's disabled again after a few minutes. Workaround: Use the local admin account.
SWG 10.2.4	SWG 10.2	Reference number- TSWS-6000 Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1. Resolution: Update to 10.2.4 or later. Workaround: If you continue to use 10.2.3 or earlier, you need to remove all updates. Also, it runs with GAM Engine 2019 after you follow this workaround: Log on to the SWG appliance using SSH or the console. Stop the main mwg process: Type service mwg stop and press Enter. Delete the patterns saved: Type cd /opt/mwg/plugin/data/antivirus and press Enter. Type rm -rf * and press Enter. Delete temp data or the broken pattern that's saved: Type cd /opt/mwg/temp and press Enter. Type rm -rf * and press Enter. Start the mwg process again: Type service mwg start and press Enter. Manually update the engine through the Manager: Click Configuration, Appliances, Update Engine, Trigger Update. Reference number- WP-3868 Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only. But, Avira doesn't detect specific or modified Eicar files inside the archive. Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set. Reference number- WP-3541 Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running. Workaround: Restart the HSM Server from the SWG UI after you add new keys.
SWG10.2 10.0.1-10.1	SWG10.0.1-10.1	Reference number- WP-2823 Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings. Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site
SWG 10.1	SWG 10.0.1-10.0.2	Reference number- WP-3305 Issue: You intermittently see an anti malware engine update error: [AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'McAfee Gateway Anti-Malware', error code: 5'." You also see that service restarts take about 40 minutes rather than the expected 5 minutes.
SWG 10.2.10		Random f.txt files no longer download incorrectly on Chrome and Edge browsers.

SWG 10.2.15

SWG 10.2.14

Issue: 10.2.14 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the SWG documentation page.

NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now End of Life.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:

[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint

SWG 10.2.2

SWG 10.2.1

Reference number- WP-4043

Issue: You can't log in to the SWG GUI by using any external managed admin account. Logging in using the local admin account still works.

The following setting is disabled: Accounts > Administrator accounts are managed externally

If you enable the setting and save changes, it's disabled again after a few minutes.

Workaround: Use the local admin account.

SWG 10.2.4

SWG 10.2

Reference number- TSWS-6000

Issue: After you update SWG 10.2–10.2.3 or earlier, DATs} and Gateway DATs fail to update. SWG 10.2.3 and earlier don't support the GAM Engine 2021.1.

Resolution: Update to 10.2.4 or later.

Workaround: If you continue to use 10.2.3 or earlier, you need to remove all updates. Also, it runs with GAM Engine 2019 after you follow this workaround:

Log on to the SWG appliance using SSH or the console.
Stop the main mwg process:
Type service mwg stop and press Enter.
Delete the patterns saved:
Type cd /opt/mwg/plugin/data/antivirus and press Enter.
Type rm -rf * and press Enter.
Delete temp data or the broken pattern that's saved:
Type cd /opt/mwg/temp and press Enter.
Type rm -rf * and press Enter.
Start the mwg process again:
Type service mwg start and press Enter.
Manually update the engine through the Manager:
Click Configuration, Appliances, Update Engine, Trigger Update.

Reference number- WP-3868

Issue: You disable the Enabled Openers rule set and configure the Gateway Anti-Malware Engine as Avira only.
But, Avira doesn't detect specific or modified Eicar files inside the archive.

Workaround: Open SWG Policy under Common Rules, and enable the Enable Opener Rule set.

Reference number- WP-3541

Issue: Adding new HSM keys in the SWG UI fails if the HSM server is already started and running.

Workaround: Restart the HSM Server from the SWG UI after you add new keys.

SWG10.2 10.0.1-10.1

SWG10.0.1-10.1

Reference number- WP-2823

Issue: In the HAProxy mode, when using the Virtual IP address, the settings for connection timeouts configured in event enable proxy control are ignored. The HAProxy only relates to general timeout settings.

Workaround: Increase the general timeout settings in SWG or increase the timeout on the remote site

SWG 10.1

SWG 10.0.1-10.0.2

Reference number- WP-3305

Issue: You intermittently see an anti malware engine update error:

[AV] [UpdateFailed2] Error updating the Antivirus engine. Reason: 'Error starting engine 'McAfee Gateway Anti-Malware', error code: 5'."

You also see that service restarts take about 40 minutes rather than the expected 5 minutes.

SWG 10.2.10

Random f.txt files no longer download incorrectly on Chrome and Edge browsers.

Resolved issues in update 10.2.21

This release resolves issues.

NOTE: Secure Web Gateway 10.2.21 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Reference	Description
WP-4758	Improved URL scheme validation as per RFC requirement.
WP-5084	UI: fixed toggle button "Ignore certificate errors" in Customer Maintained list’s Setup Dialogue box.
WP-5264	Uploading a file with chunked encoding format works without problems again.
WP-5270	An issue with downloading RTF files that led to a blocking of the download has been resolved.
WP-5295	A new media type has been added to media type filtering to detect files of the kdbx and kdb types.
WP-5300	An issue with synchronizing AgentPeer socket read/write has been resolved.
WP-5304	Secure Web Gateway reports statistics information as expected, which had not worked before due to an issue with the database lock status.

Announced Vulnerabilities

Reference

Description

WP-4958,WP-5049,
WP-5260,WP-5274,WP-5322, WP-5323

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-38177
CVE-2022-1552
CVE-2022-4883
CVE-2022-4304,
CVE-2023-0215,
CVE-2022-4450,
CVE-2023-0286
CVE-2022-37434
CVE-2022-23521,
CVE-2022-41903

Resolved issues in update 10.2.20

This release resolves issues.

NOTE: Secure Web Gateway 10.2.20 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Reference	Description
WP-5172	JSP files are not interpreted anymore but delivered as text without additional processing except pre-compiled JSP pages.
WP-5177	Correct MediaType Detection for application/x-git.
WP-5205	REST Interface access to System files without required Permissions has been fixed.
WP-5224	Bad gateway error while visiting some HTTP2 websites has been resloved.
WP-5256	Webswing has been upgraded from version 20.1.16 to version 20.2.21 LTS.
WP-5265	The maximum configurable value of ‘Connection timeout’ is now 99999 seconds in ‘Enable Proxy Control’ event.

Announced Vulnerabilities

Reference

Description

WP-5165,
WP-5273

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-3550,
CVE-2022-3551
CVE-2022-4304,
CVE-2023-0215,
CVE-2023-0286

Resolved issues in update 10.2.19

This release resolves issues.

NOTE: Secure Web Gateway 10.2.19 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

SWG Release version 10.2.18 was rolled back due to an identified performance Issue. Therefore, the List of Issues fixed in the aforementioned Version is available as resolved in the Current Release Version.

Reference	Description
WP-5226	Fixed performance and slowness issues caused due to an update in Kerberos package.

Resolved issues in update 10.2.18

This release resolves issues.

NOTE: Secure Web Gateway 10.2.18 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Reference	Description
WP-4360	PD Storage: Cluster message has been optimizated.
WP-4988	Fixed issue with detection of PDF files with incremental updates.
WP-5067	Sub rule sets are no longer deleted when importing a rule set via REST API
WP-5108	Core dump issue related NHP and connection timeout has been fixed.
WP-5111	Issue with Saas Connector blocking WebHybrid Sync has been fixed.
WP-5154	A new environment variable is provided to control(enable/disable) creation of UnSecure Netlogon channel.

Announced Vulnerabilities

Reference

Description

WP-5100
WP-5164

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-42898
CVE-2023-22809

Resolved issues in update 10.2.17

This release resolves issues.

NOTE: Secure Web Gateway 10.2.17 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Web filtering

Reference	Description
WP-2217	The PDF opener now also supports PDFs with versions 2.0.
WP-4536	Client IP or URL to be logged with Kerberos error messages, when authentication logs are enabled."
WP-4859	File previously not getting detected as TTF gets detected correctly as TTF now.
WP-4934	Long list names used when configuring Secure Web Gateway web policy rules are rendered completely in rule sets.
WP-4981	Block page now shows URL and category, which was missing after transitioning from coaching block page to URL blocked page
WP-4992	A new media type has been added to detect InDesign documents and templates
WP-4998	The file opener now supports tar files with pax headers.
WP-5076	The PDF opener function for detecting JavaScript has been improved.

Network communication

Reference	Description
WP-4557	No error was found when selecting rule trace even when option Restrict browser session to IP address of user is enabled
WP-4954	Passive FTP is are working as expected now in a HA Proxy setup through Haproxy.
WP-4985	An HTTP2 issue related to a wrong value for connection level flow control has been fixed.
WP-5010	TCP half-close support for TCP and SOCKS proxies to access an application works without issues.
WP-5070	A high client connection issue related to URL parsing has been fixed.

Other

Reference	Description
WP-4491	Issue related to LinkedIn video upload with HTTP2 is now fixed.
WP-4667	Users can join a Zoom meeting via browser when the waiting room option is enabled.
WP-4724	Error messages are logged.
WP-4944	Restore backup are working as expected now, which had happened due to duplicate ID that had been assigned to configuration file.
WP-5081	An option to configure addition of X cache headers is added to proxy control configuration
WP-5109	All the logs are rotated as per Log Manager Configuration.

Announced Vulnerabilities

Reference

Description

WP 4999,
WP-5050, WP-5101

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2023-0214
CVE-2022-21626,
CVE-2022-21628,
CVE-2022-21619,
CVE-2022-21624
CVE-2022-3550,
CVE-2022-3551

Resolved issues in update 10.2.16

This release resolves issues.

NOTE: Secure Web Gateway 10.2.16 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Reference	Description
WP-4966	The Opener used for parsing rtf documents does not crash anymore.

Announced Vulnerabilities

Reference

Description

WP-4996

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-40674

Resolved issues in update 10.2.15

This release resolves issues.

NOTE: Secure Web Gateway 10.2.15 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Network communication

Reference	Description
WP-4734	Both the proxy.outbound IP address and port are working as expected now for TCP proxy connections.

Others

Reference	Description
WP-4935	The version check fails no longer when new kernel are released.

Announced Vulnerabilities

Reference

Description

WP-4949,
WP-4950,WP-4951

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-31676
CVE-2022-1552
CVE-2022-2319
CVE-2022-2320
CVE-2022-29154
CVE-2022-2319
CVE-2022-2320

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 10.2.14

This release resolves issues.

NOTE: Secure Web Gateway 10.2.14 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Web filtering

Reference	Description
WP-4578	An issue with eml files, which were getting blocked due to an underscore in the message header, has been resolved.
WP-4605	PDF files that are submitted to an electronic signature platform do not get blocked anymore by a Block Encrypted Types rule, as the user key is correctly detected now.
WP-4887	Opening a document of the application/postscript media type no longer results in false as a value for the MediaTypeHasOpener property after this media type was added to the list of media types than can be handled by the File Opener on Secure Web Gateway.
WP-4922	An issue with high memory usage that occurred with the UCE container on Secure Web Gateway due to an endless loop in excel4 macro media type detection has been resolved.

Network communication

Reference	Description
WP-4835	Exceptions that had been entered in the Port Redirection table based on IP addresses are working as expected for the Transparent Bridge mode.
WP-4931	Checking lists with revoked certificates does not fail anymore, which had happened due to a browser error.

Others

Reference	Description
WP-4465	Tomcat has been upgraded from version 7.x to version 9.x

Announced Vulnerabilities

Reference

Description

WP-3750,WP-4871

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-23307,
CVE-2022-23305,
CVE-2022-23302
CVE-2022-37434 - There is a Low impact, needs physical system access for successful exploitation.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 10.2.13

This release resolves issues.

NOTE: Secure Web Gateway 10.2.13 is provided as a main release.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The JIRA issue number is provided in the reference column.

Other

Reference	Description
WP-4767	Resolved SWG not processing traffic issue when used along with HSM , due to threads hanging in critical section lock.
WP-4813	Alerts related to HSM keys containing control characters are escaped (‘%’ replaced with ‘/’) to resolve Alert Page disappear issue.
WP-4839	The AOLE2 Opener used for opening Microsoft Office files does not crash anymore.

Announced Vulnerabilities

Reference

Description

WP-4801, WP-4802, WP-4834, WP-4841

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2020-10663 - There is no impact on SWG. The ruby core of SWG does not use this library to parse/process JSON data, so there is no input vector available for exploitation.
CVE-2021-31799 - There is no impact on SWG. Since package is used to generate documentation and is therefore not installed on customer environments.
CVE-2020-26116 - There is no impact on SWG, since Python is not in use for normal SWG functioning.
CVE-2020-26137
CVE-2022-0391
CVE-2022-34169 - There is no impact. SWG does not load untrusted code.
CVE-2022-25647
CVE-2022-21541
CVE-2022-21540
CVE-2022-21549

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues and a change in update 10.2.12

This release resolves issues.

NOTE: Secure Web Gateway 10.2.12 is provided as a main release.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

Changed

The Web Hybrid Legacy settings are no longer available for configuring an appliance system.

Resolved issues

JIRA issue numbers are provided in the reference column.

Web Filtering

Reference	Description
WP-4555	Performance of the is-in-list operator when searching lists of IP addresses has been improved.
WP-4761	Opening zipped files with the 7Zip opener does not fail anymore.

Other

Reference	Description
WP-2952	Files can be downloaded and deleted again on the REST interface, which had not been possible due to an issue with troubleshooting rights.

Vulnerabilities

Reference

Description

WP-4619, WP-4723, WP- 4731, WP-4733, WP-4762, WP-4766, WP-4781

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-21476 - There is no impact on SWG because no untrusted Java code is loaded.
CVE-2022-21496
CVE-2022-21434
CVE-2022-21426
CVE-2022-21443
CVE-2022-24903 - There is no impact on SWG because as it is not configured to be a receiver by default.
CVE-2022-2310 - For Impact details, see Security Bulletin SB10384.
CVE-2022-2068 - There is no impact. Affected script is not shipped by default on customer instances.
CVE-2022-34914 - There is a critical impact.Immediate upgrade is strongly recommended.
CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
CVE-2022-2097 - There is a Low impact, since vulnerability only affects 32bit implementation and does not affect TLS.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 10.2.11

This release resolves known issue.

NOTE: Secure Web Gateway 10.2.11 is provided as a main release.

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide.

The JIRA issue number is provided in the reference column.

Network communication

Reference	Description
WP-3343	IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

Other

Reference	Description
WP-3990	Excel 4 macros are now detected in media type filtering.

Vulnerabilities

Reference

Description

WP-4547, WP-4598, WP-4621

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-24407 - There is no impact on SWG since the affected component is not in use.
CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
CVE-2022-1292 - There is No impact since SWG does not ship the affected script by default.
CVE-2022-1473
CVE-2022-1434
CVE-2022-1343

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 10.2.10

This release resolves known issue.

NOTE: Secure Web Gateway 10.2.10 is provided as a main release.

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide.

The JIRA issue number is provided in the reference column.

Network communication

Reference	Description
WP-4646	An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved.

Other

Reference	Description
WP-3772	The PDF opener now also supports PDF versions below 2.0 with AESV3 encryption.
WP-4238	The rule in the script filter rule set that removes ActiveX objects from Javascript is working fine now.
WP-4351	A table without a header is no longer recognized erroneously as application/x-compressed-arc.
WP-4650	Random f.txt file downloaded on Chrome\Edge browsers do not occur anymore.

Resolved issues in update 10.2.9

This release resolves known issues.

NOTE: Secure Web Gateway 10.2.9 is provided as a main release.

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide.

The JIRA issue number is provided in the reference column.

Network communication

Reference	Description
WP-4145	POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-4541	Processing of cluster messages sent by the Notification plugin that is implemented in the core process has been improved.
WP-4558	When the data threshold of 10 GB is reached on an ICAP connection, the connection is shut down to avoid overload issues.
WP-4559	Memory can be reserved for advance usage while reading messages on Secure Web Gateway, so the length of the response is already known early, which avoids memory reallocation.

Web filtering

Reference	Description
WP-4459	File scanning now extracts text from PDFs, which had failed before, as the scanning process went into a loop causing CPU consumption to reach 100%.

Other

Reference	Description
WP-4362	The Secure Web Gateway rule set for file scanning scans nested archives files now that caused issues before.
WP-4556	Coordinator crashes that led to a shutdown on a Secure Web Gateway appliance do not occur anymore.
WP-4567	The SmartCache default size value has been increased from 100 to 1000 MB.
WP-4584	Response time for CStorageJob backup and restore activities has been improved.

Vulnerabilities

Reference

Description

WP-4432, WP-4454, WP-4591

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-23990
CVE-2022-23852
CVE-2022-45960
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-22825
CVE-2021-46143
CVE-2022-22826
CVE-2022-22827
CVE-2022-25236
CVE-2022-25235
CVE-2022-25315
CVE-2022-1254
CVE-2018-25032

For more information about these CVEs and their impact, see the Red Hat CVE portal.