Skip to main content

Skyhigh Security is launching standalone documentation portals to support Japanese, German, and French languages. We are not supporting auto-translation. Stay tuned for further updates. Thanks for your support.

Skyhigh Security

Secure Web Gateway 11.2.x Release Notes

New Features in the 11.2 Release

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

NOTE: Secure Web Gateway 11.2 is provided as a main release.

For information about how to install this release, see the Upgrading to a New Version - Controlled Release. If you are installing the Secure Web Gateway appliance software for the first time, see Installing Secure Web Gateway for the First Time.

New Properties for Web Policy Rules 

When configuring rules for your web policy, you can use these new items:

  • A new property to expose encrypted archive directory listings.
  • A new property to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.

GTI Data Included in Feedback File 

Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.

Support for Rolling TCPdump collection

Support for rolling TCPdump collection option is now available in the UI. For more details, see Create a packet tracing file. For more details on Performing Packet Tracing in Secure Web Gateway, see Performing Packet Tracing in Secure Web Gateway SWG

More Flexibility for HTTP Proxy Port Configuration 

When configuring an HTTP Proxy Port, you can disable the Enable FTP over HTTP option. The option is enabled by default.

SSL Tap Configuration Enhanced 

 The following enhancements have been added to SSL Tap configuration:

  • The destination port number is not overwritten by default when tapped packets are created.
  • The destination MAC address can be customized when tapped packets are broadcast.
  • SSL tapping now supports HTTP2 on Secure Web Gateway.

Detection of Excel 4 Macros Added 

Excel 4 macros are now detected in media type filtering. 

IP Spoofing Supported for HTTP(S) in Proxy Configuration 

IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

What's new in update 11.2.5 

Enhancements have been introduced as follows in this release.

  • Skyhigh Rebranding Changes
    • Icons, and logos are rebranded from McAfee to Skyhigh Secure Web Gateway.

Known Issues and their Patches

For a list of issues that are known, but not resolved yet, see the table below.

Fix Version Found Version Description
11.2.11 11.2.10

Issue: After update to version 10.2.21, 11.2.10, 12.1.3, 12.2.0 the UI service will not start properly. Error descriptions show different errors, the specific root cause identifies as:

"Caused by: javax.xml.stream.XMLStreamException: Maximum attribute size limit (524288) exceeded"

Workaround:

It is possible upgrading related limit by upgrading related SWG code/libraries. To retrieve upgraded version, please contact support. This Issue is fixed with WP-5462.

Solution:

Issue is fixed in version 11.2.11, release date is June 13, 2023

 

11.2.5     

 

 

         

 

 

11.2.0

 

 

   

 

 

Issue: After you update a central management cluster from 10.2.x to 11.2.x (specifically 11.2.4 or earlier), you see one of the following issues:

  • Following error is seen when you dont have access to UI: Error while receiving data. Received 'HTTP:200'
  • System list updates fail with the following error: System Lists update failed, with ID 333

Workaround: Run the following commands on each cluster node via CLI:

service mwg-core stop
rm /opt/mwg/plugin/data/DLP/0/lists -rf
service mwg-core start

After the service restart, a new list is created automatically.

NOTE: This workaround includes a service restart; all connections will be disconnected and no connections will be accepted until the service is started again.

Solution: This issue is fixed in version 11.2.5; release date is November 15, 2022.

11.2.4         

 

 

 

         

 

11.2.3            

 

 

 

 

     

 

 

                 

Issue: 11.2.3 uses an updated version of Tomcat.
This new version of Tomcat causes SWG to suffer an incompatibility with the authentication method "client certificate authentication."
This authentication method is only available when using the SWG UI as a Java Applet (logging in via the browser login page).
Detailed information about client certificate authentication can be found on the client certificate authentication page.

NOTE: Most current browsers don't support Java Applets.
The most notable browser still supporting them is the old Internet Explorer 11, but this is now EOL.
You see the following entries, present in the log file /opt/mwg/log/mwg-errors/mwg-ui.errors.log:

[ERROR] Cannot determine if client certificate is enabled due to implementation changes in Tomcat: java.lang.NoSuchFieldException: endpoint

 

Issue: After you reboot, the kdump service fails to start. The current kdump service included in SWG isn't compatible with the latest kernel upgrade provided as part of the September 20, 2022 releases.
The kdump service handles kernel failures that occur and recovery from these issues.
When this service is non-functional, kernel failures cause the appliance to become unresponsive, and a manual power cycle is needed to get the appliance back to a working state.

Workarounds: This issue on installation can be avoided and prevent the kernel package from being upgraded.

NOTE: This workaround is only applicable to the CMD method of upgrade.
Instead of running yum upgrade yum && yum upgrade, run yum upgrade yum && yum upgrade --exclude=kernel*

If already upgraded>edit the config files>  allow the appliance to recover from the kernel failure> and automatically reboot after 5 secs:

  1. Edit the sysctl.conf file from the SWG-UI.
  2. Add the line kernel.panic=5 outside the auto generated block.
  3. Save your changes.

11.1.14

 

 

 

       

11.1

 

 

 

               

               

  

Issue: Your Browser response page shows corrupted text. No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Your browser triggers a file download, which is a text file named "f.txt." No errors are seen in the SWG logs. 

Solution: This issue is fixed in version 11.1.4.

Issue: Memory-leak leads to one or more of the following issues:

  • Appliance not reachable

  • SWG stops handling network traffic

  • No access to SWG UI

Resolution: This issue is fixed in version 11.1.4

 

Resolved issues in update 11.2.16

This release resolves known issues.   

NOTE:

  • This release updates few of the FQDN used by SWG for GTI communication and Update Server communication to new Skyhigh FQDN's. Depending on features currently used by customer, post upgrade some manual changes may be required for uninterrupted service. Please refer to Migration to Skyhigh FQDN before upgrade. 
  • Secure Web Gateway 11.2.16 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-4265 Using the REST API to push a configuration.xml file from another location to Secure Web Gateway after modifying the configuration on the user interface now works as expected.
WP-5476 A McAfee copyright notice that was still shown when information about an ePO extension package was provided on the user interface for Secure Web Gateway has been removed.
WP-5740 Update SWG with new Icons for consistent branding.
WP-5767 Pdf opener does not crash anymore. 
WP-5778 The next-hop proxy process no longer dereferences fServerSocket = 0x0 when multiple requests are received over the same connection. 
WP-5818 When LDAP authentication is performed for a user with a mail filter enabled, the authentication process does not fail anymore if the user name contains the @ special character.

Vulnerabilities Fixed    

Reference Description
WP-5815, WP-5834

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

    CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
  • CVE-2023-42795: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Resolved issues in update 11.2.15

This release resolves known issues.   

NOTE: Secure Web Gateway 11.2.15 is provided as a main release.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-5747 new media type entries have been added to media type system lists to support new Content-Type header
- application/oleobject, application/x-msdownload, text/vbscript
WP-5758 Save changes no longer fails for WebHybrid Sync, UCEhybrid Sync and, few cluster management field.
It is recommended to update the previous passwords set in the Configuration files. For more details see, SB10406
WP-5765 Save changes no longer fail after password encryption for file typesOps.xml.
It is recommended to update the previous passwords set in the Configuration files. For more details see, SB10406

Vulnerabilities Fixed         

Reference Description
WP-5628

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-40982 - Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

The release fixes Vulnerability for the Affected E-Models.

Resolved issues in update 11.2.14

Note: 11.2.14  release is no longer generally available, please install the next available version (11.2.15) instead of 11.2.14.

This release resolves known issues.   

NOTE: Secure Web Gateway 11.2.14 is provided as a main release.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-3593 Login message in login dialog of HTML UI/Webstart is shown properly. 
WP-4401 The import of algorithms like elliptic curves under "SSL Client Certificate Handling" is working normally as RSA restriction is removed.
The supported ecparam curves are : secp256k1 ,secp384r1 ,secp521r1 ,prime256v1
WP-5537 The vulnerability CVE-2023-4400, related to Clear text storage of sensitive information is fixed. After upgrading to 11.2.14 version, it is recommended to update the previous passwords set in the Configuration files. For more details see, SB10406
WP-5578 Both body.replace and body.insert functions work fine when a file content starts with a double quotation mark (").
WP-5613 The memory utilization of mwg-core is reduced.

Vulnerabilities Fixed         

Reference Description
WP-4635 This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number.
  • CVE-2022-27776,
    CVE-2022-27775,
    CVE-2022-27775,
    CVE-2022-22576
WP-4780 Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that a remote attacker can use to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.
  • CVE-2022-44792,
    CVE-2022-44793
WP-5392 Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
  • CVE-2022-41974
WP-5576 Checking excessively long DH keys or parameters may be very slow. So Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays.
  • CVE-2023-3446,
    CVE-2023-3817
WP-5603 This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the user's privileges running the SSH-agent.
  • CVE-2023-38408

Resolved issues in update 11.2.13

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.13 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns

Reference Description
WP-5551 An issue with memory leak that occurred while handling Intermediary 103 headers in HTTP2.0 for On-Prem appliance has been resolved. 

Vulnerabilities Fixed       

Reference Description
WP-4956, WP-5102

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2017-9225,
    CVE-2017-9229

  • CVE-2022-3171,
    CVE-2022-3509,
    CVE-2022-3510

Resolved issues in update 11.2.12

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.12 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns

Reference Description
WP-5419 When the authentication process on Secure Web Gateway uses the basic NTLM authentication method, adding the default domain of the NTLM authentication server to the settings, no longer leads to a failure of the process.
WP-5471 ProxyHA configuration failure is fixed for SWG on Nutanix.
WP-5497 When regex terms are created for the filtering process on Secure Web Gateway, dereferencing of the null pointer does not occur anymore.
WP-5501 Anti-malware filtering on Secure Web Gateway no longer attempts to access a transaction again that has already been processed and completed.

Resolved issues in update 11.2.11

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.11 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns

Reference Description
WP-4517 A new media type has been added to media type filtering to cover requests where pipelined
application/http traffic is involved.
WP-4952 Rules that include multiple conditions with multiple IP addresses are shown correctly now.
WP-5261 Enhanced media type detection for SVG files.
WP-5281 A signature has been added for detecting the .one and .onepkg media types.
WP-5338 There is now an option to configure chunk encoding of traffic that is sent to a server.
WP-5361 When using SmartMatch the path component in an URL will now be matched in a case insensitive manner.
WP-5365 Read-only users are now able to switch to the network interface and read the information.
WP-5367 Media type detection has been enhanced for the EML file type.
WP-5377 An ENV variable has been introduced to disable ARP on interfaces where V4 is marked as disabled.
WP-5388 When an EICAR file with a test virus is embedded in a .docx file, it is extracted now and sent to the Gateway Anti-Malware (GAM) engine for scanning.
WP-5393 When data trickling is enabled, response data created under the HTTP2 protocol is completely sent to the client again.
WP-5398 When the value of the acknowledgement number field for the SSL tap is not zero, the ACK flag is set now.
WP-5461 Improved performance behaviour under heavy load situations.
WP-5462 UI login issues when large inline list is involved has been fixed.

Vulnerabilities Fixed         

Reference Description
WP-3575, WP-5369,
WP-5387, WP-5409, WP-5425

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2020-15522
  • CVE-2022-42252
  • CVE-2023-21930
  • CVE-2023-1393
  • CVE-2023-0767

Resolved issues in update 11.2.10

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.10 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns 

Reference Description
WP-4758 Improved URL scheme validation as per RFC requirement.
WP-5084 UI: fixed toggle button "Ignore certificate errors" in Customer Maintained list’s Setup Dialogue box.
WP-5264 Uploading a file with chunked encoding format works without problems again.
WP-5270 An issue with downloading RTF files that led to a blocking of the download has been resolved.
WP-5295 A new media type has been added to media type filtering to detect files of the kdbx and kdb types.
WP-5300 An issue with synchronizing AgentPeer socket read/write has been resolved.
WP-5304 Secure Web Gateway reports statistics information as expected, which had not worked before due to an issue with the database lock status.

Vulnerabilities Fixed    

Reference Description
WP-4958,WP-5049,
WP-5260,WP-5274,WP-5322, WP-5323

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-38177
  • CVE-2022-1552
  • CVE-2022-4883
  • CVE-2022-4304,
    CVE-2023-0215,
    CVE-2022-4450,
    CVE-2023-0286
  • CVE-2022-37434
  • CVE-2022-23521,
    CVE-2022-41903

Resolved issues in update 11.2.9

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.9 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns 

Reference Description
WP-5172 JSP files are not interpreted anymore but delivered as text without additional processing except pre-compiled JSP pages.
WP-5177 Correct MediaType Detection for application/x-git.
WP-5205 REST Interface access to System files without required Permissions has been fixed.
WP-5224 Bad gateway error while visiting some HTTP2 websites has been resloved.
WP-5239 Memory management optimizations are made for the HTTP2 SSL tap feature.
WP-5256 Webswing has been upgraded from version 20.1.16 to version 20.2.21 LTS.
WP-5265 The maximum configurable value of ‘Connection timeout’ is now 99999 seconds in ‘Enable Proxy Control’ event.

Vulnerabilities Fixed         

Reference Description
WP-5165,
WP-5273

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-3550,
    CVE-2022-3551
  • CVE-2022-4304,
    CVE-2023-0215,
    CVE-2023-0286

Resolved issues in update 11.2.8

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.8 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns 

SWG Release version 11.2.7 was rolled back due to an identified performance Issue. Therefore, the List of Issues fixed in the aforementioned Version is available as resolved in the Current Release Version.

Reference Description
WP-5225 When mirroring decrypted traffic with the SSL Tap feature, the source and destination IP addresses are not reversed.
WP-5226 Fixed performance and slowness issues caused due to an update in Kerberos package.

Resolved issues in update 11.2.7

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.7 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns       

Reference Description
WP-4360 PD Storage: Cluster message has been optimizated. 
WP-4840 Update of the CRLs is working normal.
WP-4988 Fixed issue with detection of PDF files with incremental updates.
WP-5067 Sub rule sets are no longer deleted when importing a rule set via REST API
WP-5108 Core dump issue related NHP and connection timeout has been fixed.
WP-5154 A new environment variable is provided  to control(enable/disable) creation of UnSecure Netlogon channel.

Env Variable set:

"MWG_ALLOW_UNSECURE_NETLOGON"="NO" {Not-Allows unsecure NETLOGON}

"MWG_ALLOW_UNSECURE_NETLOGON"="YES" {Allows unsecure NETLOGON for DC's backward compatibility}

WP-5186

Fixed the following scenarios when secure NHP is used for plain HTTP requests:

  1. If multiple NHP’s are configured and TLS handshake or certificate verification fails, then next nhp in the list is not tried.
  2. If multiple requests are received over persistent client connection, then SWG switches to switches to non-secure NHP when server sends close notify alert.

Vulnerabilities Fixed          

Reference Description
WP-5100
WP-5164

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-42898
  • CVE-2023-22809

Resolved issues in update 11.2.6

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.6 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns  

Web filtering      

Reference Description
WP-2217 The PDF opener now also supports PDFs with versions 2.0.
WP-4536 Client IP or URL to be logged with Kerberos error messages, when authentication logs are enabled."
WP-4859 File previously not getting detected as TTF gets detected correctly as TTF now.
WP-4934 Long list names used when configuring Secure Web Gateway web policy rules are rendered completely in rule sets.
WP-4981 Block page now shows URL and category, which was missing after transitioning from coaching block page to URL blocked page
WP-4992 A new media type has been added to detect InDesign documents and templates
WP-4998 The file opener now supports tar files with pax headers.
WP-5076 The PDF opener function for detecting JavaScript has been improved.

 

Network communication     

Reference Description
WP-4557 No error was found when selecting rule trace even when option Restrict browser session to IP address of user is enabled
WP-4954 Passive FTP is are working as expected now in a HA Proxy setup through Haproxy.
WP-4985 An HTTP2 issue related to a wrong value for connection level flow control has been fixed.
WP-5010 TCP half-close support for TCP and SOCKS proxies to access an application works without issues.
WP-5070 A high client connection issue related to URL parsing has been fixed.
WP-5111 SaaSConnectors are syncing again.

Other       

Reference Description
WP-4491 Issue related to LinkedIn video upload with HTTP2 is now fixed.
WP-4667 Users can join a Zoom meeting via browser when the waiting room option is enabled.
WP-4724 SWG UI login issue while using Client Certificate for Authentication does not occur anymore.
WP-4944 Restore backup are working as expected now, which had happened due to duplicate ID that had been assigned to configuration file.
WP-5081 An option to configure addition of X cache headers is added to proxy control configuration
WP-5109 All the logs are rotated as per Log Manager Configuration.

 

Vulnerabilities Fixed        

Reference Description
WP 4999,
WP-5050, WP-5101

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2023-0214
  • CVE-2022-21626,
    CVE-2022-21628,
    CVE-2022-21619,
    CVE-2022-21624
  • CVE-2022-3550,
    CVE-2022-3551

Resolved issues in update 11.2.5

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.5 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns  

Reference Description
WP-4966 The Opener used for parsing rtf documents does not crash anymore.
WP-5018 A discrepancy regarding the DLP system list version, which had occurred after upgrading from Secure Web Gateway 10.2. to 11.2, has been fixed.

Vulnerabilities Fixed    

Reference Description
WP-4996
 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-40674

 

Resolved issues in update 11.2.4

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.4 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Network communication     

Reference Description
WP-4734 Both the proxy.outbound IP address and port are working as expected now for TCP proxy connections.

Other     

Reference Description
WP-4935 The version check fails no longer when new kernel are released.
WP-4945 A memory leak in ICAP client has been fixed.

Vulnerabilities Fixed          

Reference Description
WP-4949,
WP-4950,WP-4951

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-31676
  • CVE-2022-1552
    CVE-2022-2319
    CVE-2022-2320
    CVE-2022-29154
  • CVE-2022-2319
    CVE-2022-2320

For more information about these CVEs and their impact, see the Red Hat CVE portal.

 

Resolved issues in update 11.2.3 

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.3 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Web filtering    

Reference Description
WP-4578 An issue with eml files, which were getting blocked due to an underscore in the message header, has been resolved.
WP-4605 PDF files that are submitted to an electronic signature platform do not get blocked anymore by a Block Encrypted Types rule, as the user key is correctly detected now.
WP-4864 Web policies are no longer invalidate because of a CTD removal that had happened.
WP-4887 Opening a document of the application/postscript media type no longer results in false as a value for the MediaTypeHasOpener property after this media type was added to the list of media types than can be handled by the File Opener on Secure Web Gateway.
WP-4922 An issue with high memory usage that occurred with the UCE container on Secure Web Gateway due to an endless loop in excel4 macro media type detection has been resolved.

Network communication     

Reference Description
WP-4835 Exceptions that had been entered in the Port Redirection table based on IP addresses are working as expected for the Transparent Bridge mode.
WP-4931 Checking lists with revoked certificates does not fail anymore, which had happened due to a browser error.

Other     

Reference Description
WP-4937 A failure of the SaaS Connector on Secure Web Gateway does not occur anymore.
WP-4465 Tomcat has been upgraded from version 7.x to version 9.x

Vulnerabilities Fixed           

Reference Description

WP-3750,WP-4871

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-23307, 
    CVE-2022-23305,
    CVE-2022-23302 
  • CVE-2022-37434 - There is a Low impact, needs physical system access for successful exploitation.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in Update 11.2.2 

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.2 is provided as a main release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Other     

Reference Description
WP-4767 Resolved SWG not processing traffic issue when used along with HSM , due to threads hanging in critical section lock.
WP-4813 Alerts related to HSM keys containing control characters are escaped (‘%’ replaced with ‘/’) to resolve Alert Page disappear issue.
WP-4833 Secure Web Gateway on-prem forwards all requests with X-SWEB headers to Secure Web Gateway cloud again.
WP-4836 The client_ip field in the access log for Secure Web Gateway cloud no longer omits the IP address of Secure Client Proxy.
WP-4839 The AOLE2 Opener used for opening Microsoft Office files does not crash anymore.

Vulnerabilities Fixed           

Reference Description

WP-4801, WP-4802, WP-4834, WP-4841

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2020-10663 - There is no impact on SWG. The ruby core of SWG does not use this library to parse/process JSON data, so there is no input vector available for exploitation.
  • CVE-2021-31799 - There is no impact on SWG. Since package is used to generate documentation and is therefore not installed on customer environments.
  • CVE-2020-26116 - There is no impact on SWG, since Python is not in use for normal SWG functioning.
    CVE-2020-26137
    CVE-2022-0391
  • CVE-2022-34169 - There is no impact. SWG does not load untrusted code.
    CVE-2022-25647
    CVE-2022-21541
    CVE-2022-21540
    CVE-2022-21549 

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in Update 11.2.1 

This release resolves known issues.

NOTE: Secure Web Gateway 11.2.1 is provided as a controlled release.       

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference column.

End of Life: Web Hybrid Legacy Settings

The Web Hybrid Legacy settings are no longer available for configuring an appliance system.

 

  Vulnerabilities Fixed           

Reference Description

WP-4619, WP-4723, WP-4731, WP-4733, WP-4762, WP-4766, WP-4781 

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-21476 - There is no impact on SWG because no untrusted Java code is loaded.
    CVE-2022-21496
    CVE-2022-21434
    CVE-2022-21426
    CVE-2022-21443
  • CVE-2022-24903 - There is no impact on SWG because as it is not configured to be a receiver by default.
  • CVE-2022-2310 - For Impact details, see Security Bulletin SB10384.
  • CVE-2022-2068 - There is no impact. Affected script is not shipped by default on customer instances.
  • CVE-2022-34914 - There is a critical impact. Immediate upgrade is strongly recommended. 
  • CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
  • CVE-2022-2097 - There is a Low impact, since vulnerability only affects 32bit implementation and does not affect TLS.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved Issues in the 11.2 Release 

This release resolves known issues.

NOTE: Secure Web Gateway 11.2 is provided as a main release.       

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

JIRA issue numbers are provided in the reference columns.

Network communication    

Reference Description
WP-1590 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-3343 IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.
WP-3953 SWG can be configured to retain the destination port number when tapped packets are created.
WP-4145 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-4370 SSL tapping now supports HTTP2 on Secure Web Gateway.
WP-4396 The destination MAC address can be customized when tapped packets are broadcast.
WP-4443 User can disable the option Enable FTP over HTTP option when configuring an HTTP Proxy Port. This option is enabled by default.
WP-4447 A new property is added to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.
WP-4451 The Bond interface is brought up with the appliance and Static Routes settings are restored correctly after a full restore of Web Gateway.
WP-4541 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4558 When the data threshold of 10 GB is reached on an ICAP connection, the connection is shut down to avoid overload issues.
WP-4559 Memory can be reserved for advance usage while reading messages on Secure Web Gateway, so the length of the response is already known early, which avoids memory reallocation.
WP-4560 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4566 Copying of files has been improved.
WP-4646 An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved.
WP-4674 Trigger of execution of the Hybrid policy is working fine.

Other    

Reference Description
WP-2952 User cannot DOWNLOAD and DELETE the files without Troubleshooting rights via REST Interface.
WP-3990 Excel 4 macros are now detected in media type filtering.
WP-4134 A password for an update proxy user is escaped properly again, after this had not worked and caused yum to treat the user name as the name of the proxy server.
WP-4238 The rule in the script filter rule set that removes ActiveX objects from Javascript is working fine now
WP-4245 An admin user can again log onto Web Gateway using NTLM authentication successfully
WP-4285 A new property is added to expose encrypted archive directory listings.
WP-4331 A 502 error that occurred when working with the AWS admin page has been resolved.
WP-4350 A URL path encoding issue that involved subscribed lists has been resolved.
WP-4351 A table without a header is no longer recognized erroneously as application/x-compressed-arc.
WP-4362 The Secure Web Gateway rule set for file scanning scans nested archives files now that caused issues before.
WP-4428 Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.
WP-4429 TCP dump options has been enhanced by adding a packet tracing feature.
WP-4440 An admin user can again log onto Web Gateway using NTLM authentication successfully
WP-4444 Files are no longer detected as missing for Web Gateway nodes because of incorrect reference handling.
WP-4450 The mwg-snmp.service unit is available again now after a reboot of Web Gateway.
WP-4459 File scanning now extracts text from PDFs, which had failed before, as the scanning process went into a loop causing CPU consumption to reach 100%.
WP-4518 High memory usage on a Web Gateway appliance does not occur anymore
WP-4556 Coordinator crashes that led to a shutdown on a Secure Web Gateway appliance do not occur anymore.
WP-4567 The SmartCache default size value has been increased from 100 to 1000 MB
WP-4584 Response time for CStorageJob backup and restore activities has been improved.
WP-4650 Random f.txt file downloaded on Chrome\Edge browsers do not occur anymore.

Vulnerabilities Fixed          

Reference Description
WP-4347,
WP-4408,
WP-4416,
WP-4432,
WP-4454,
WP-4547,
WP-4554,
WP-4591,
WP-4598,
WP-4621

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2021-41617
  • CVE-2021-4008
  • CVE-2021-4009
  • CVE-2021-4010
  • CVE-2021-4011
  • CVE-2022-23990
  • CVE-2022-23852
  • CVE-2022-45960
  • CVE-2022-22822
  • CVE-2022-22823
  • CVE-2022-22824
  • CVE-2022-22825
  • CVE-2021-46143
  • CVE-2022-22826
  • CVE-2022-22827
  • CVE-2022-25236
  • CVE-2022-25235
  • CVE-2022-25315
  • CVE-2022-1254
  • CVE-2022-24407
  • CVE-2022-0778
  • CVE-2018-25032
  • CVE-2022-1271
  • CVE-2022-1292

For more information about these CVEs and their impact, see the Red Hat CVE portal.

  • Was this article helpful?