Skip to main content

Welcome to Skyhigh Security!

Skyhigh Security

Secure Web Gateway 11.1.x Release Notes

What's new in the 11.1 release

This release introduces new features and enhances existing features.

Radius-based authentication and management of CLI-based administrator accounts

On the Web Gateway user interface, you can as an administrator create CLI-based accounts for other administrators. Each of these accounts works across all the appliances in a cluster or on a standalone appliance. Logon is enabled based on Radius authentication or local authentication depending on the configuration.

For more information, see the Administrator accounts chapter of the Secure Web Gateway 11.1.x Product Guide.

Configurable ISTag header parameters for ICAP server responses

You can choose and configure additional parameters for the ISTag header that is sent in responses to the ICAP clients when Secure Web Gateway runs as an ICAP server. The header can also provide information about the version of the web protection policy that is in place on this Secure Web Gateway appliance.

For more information, see the Proxies chapter of the Secure Web Gateway 11.1.x Product Guide.

Terminating client connections on the command line interface

You can terminate a client connection by running a command on the command line interface (CLI). The reason for terminating a connection might be that the traffic on this connection consumes too much bandwidth.

Event for removing headers based on wildcard matches

Using the Header.RemoveAllWildcardMatchingHeaders event in a rule, you can remove all headers that match a given wildcard from requests and responses sent and received in web traffic that is processed on Secure Web Gateway.

Property for encoding a string under the Base64 method and rendering the result in binary format

Using the String.Base64EncodeAsBinary property in a rule, you can have a string encoded under the Base64 method and the result of this encoding turned into a string of binary digits.

Known Issues and their Patches

For a list of issues that are known, see the table below.

Fix Version Found Version Description

           

 

 

            

 

          SWG 11.2.5

         

 

 

 

 

              SWG  11.2.0

Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:

  • No access to UI. You might see the following error: Error while receiving data. Received 'HTTP:200'
  • System list updates fail with the following error: System Lists update failed, with ID 333

Workaround: Run the following commands on each cluster node via CLI:

service mwg-core stop
rm /opt/mwg/plugin/data/DLP/0/lists -rf
service mwg-core start

After the service restart, a new list is created automatically.

NOTE: This workaround includes a service restart; all connections will be disconnected and no connections will be accepted until the service is started again.

Solution: This issue is fixed in version 11.2.5; release date is November 15, 2022.

         

 

 

 

          SWG 11.2.4

       

 

 

 

           

 

 

                  SWG 11.2.3

Issue: 11.2.3 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the {{SWG}} documentation page.

NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now EOL.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:

[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint

 

Issue: After you reboot, the kdump service fails to start.
The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the September 20, 2022 releases.
The kdump service handles kernel failures that occur and recovery from these issues.
When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state.

Workarounds: You can avoid this issue on installation and prevent the kernel package from being upgraded.

NOTE: This workaround is only applicable to the CMD method of upgrade.
Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel*

If already upgraded>edit the config files>  allow the appliance to recover from the kernel failure> and automatically reboot after 5 secs:

  1. Edit the sysctl.conf file from the SWG-UI.
  2. Add the line kernel.panic=5 outside the auto generated block.
  3. Save your changes.

   

 

 

 

        SWG 11.1.14

   

 

 

 

 

                SWG 11.1

  

Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Memory-leak leads to one or more of the following issues:

  • Appliance not reachable

  • SWG stops handling network traffic

  • No access to SWG UI

Resolution: This issue is fixed in version 11.1.4

Resolved issues in update 11.1.5 

This release resolves known issue.

NOTE: Secure Web Gateway 11.1.5 is provided as a controlled release.       

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication  

Reference Description
WP-3343 IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

Other  

Reference Description
WP-3990 Excel 4 macros are now detected in media type filtering.

Vulnerabilities    

Reference Description

WP-4547, WP-4598, WP-4621

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-24407 - There is no impact on SWG since the affected component is not in use. 
  • CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
  • CVE-2022-1292  - There is No impact since SWG does not ship the affected script by default. 
    CVE-2022-1473
    CVE-2022-1434
    CVE-2022-1343

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 11.1.4 

This release resolves known issue.

NOTE: Secure Web Gateway 11.1.4 is provided as a controlled release.       

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication 

Reference Description
WP-4646 An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved. 

Other 

Reference Description
WP-4238 The rule in the script filter rule set that removes ActiveX objects from Javascript is working fine now. 
WP-4351 A table without a header is no longer recognized erroneously as application/x-compressed-arc.
WP-4650 Random f.txt file downloaded on Chrome\Edge browsers do not occur anymore.

 

Resolved issues in update 11.1.3 

This release resolves known issue.

NOTE: Secure Web Gateway 11.1.3 is provided as a controlled release.       

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication 

Reference Description
WP-4145 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-4541 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4558 When the data threshold of 10 GB is reached on an ICAP connection, the connection is shut down to avoid overload issues.
WP-4559 Memory can be reserved for advance usage while reading messages on Secure Web Gateway, so the length of the response is already known early, which avoids memory reallocation.

Web filtering 

Reference Description
WP-4459 File scanning now extracts text from PDFs, which had failed before, as the scanning process went into a loop causing CPU consumption to reach 100%. 

Other 

Reference Description
WP-4362 The Secure Web Gateway rule set for file scanning scans nested archives files now that caused issues before. 
WP-4556 Coordinator crashes that led to a shutdown on a Secure Web Gateway appliance do not occur anymore.
WP-4567 The SmartCache default size value has been increased from 100 to 1000 MB.  
WP-4584 Response time for CStorageJob backup and restore activities has been improved. 

Vulnerabilities   

Reference Description

WP-4432, WP-4454, WP-4591

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-23990
  • CVE-2022-23852
  • CVE-2022-45960
  • CVE-2022-22822
  • CVE-2022-22823
  • CVE-2022-22824
  • CVE-2022-22825
  • CVE-2021-46143
  • CVE-2022-22826
  • CVE-2022-22827
  • CVE-2022-25236
  • CVE-2022-25235
  • CVE-2022-25315
  • CVE-2022-1254
  • CVE-2018-25032

For more information about these CVEs and their impact, see the Red Hat CVE portal.

  • Was this article helpful?