Skip to main content

Skyhigh Security is launching standalone documentation portals to support Japanese, German, and French languages. We are not supporting auto-translation. Stay tuned for further updates. Thanks for your support.

Skyhigh Security

Secure Web Gateway 12.0.x Release Notes

New Features in the 12.0 Release

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

Rebranding to Account for Transition 

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Action for Certificate Error to be Decided by User 

When a certificate error occurs, it is shown in the browser, so that you can decide which action to take.

Configurable OCSP/CRL Domain to Support Transparent Mode 

When configuring a transparent proxy mode for Secure Web Gateway, you can select the OCSP or CRL domain that information about revoked certificates is retrieved from.

Validation of customer ID and Shared secret for UCE hybrid

For UCE hybrid customers using SCP, a configurable option has been provided to validate the customer ID and shared secret. It ensures if the traffic from multiple tenants should be allowed to go to UCE via same on-prem Secure Web Gateway.

Property for Logging Next-hop Proxy Address 

A new property is provided that allows you to log the IP addresses of next-hop proxies in the logging cycle on Secure Web Gateway.

Tomcat Upgrade 

Tomcat has been upgraded to version 9.

LogJ4 Upgrade 

LogJ4 has been upgraded from version 1.x to 2.x.

Resolved Issues in the 12.0.1 Release 

This release resolves known issues.

NOTE: Secure Web Gateway 12.0.1 is provided as a controlled release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Web filtering     

Reference Description
WP-2217 The PDF opener now also supports PDFs with versions 2.0.
WP-4536 Client IP or URL to be logged with Kerberos error messages, when authentication logs are enabled."
WP-4859 File previously not getting detected as TTF gets detected correctly as TTF now.
WP-4934 Long list names used when configuring Secure Web Gateway web policy rules are rendered completely in rule sets.
WP-4966 The file opener does not crash anymore when used to parse rtf documents.
WP-4981 Block page now shows URL and category, which was missing after transitioning from coaching block page to URL blocked page
WP-4992 A new media type has been added to detect InDesign documents and templates
WP-4998 The file opener now supports tar files with pax headers.
WP-5076 The PDF opener function for detecting JavaScript has been improved.

 

Network communication    

Reference Description
WP-4557 No error was found when selecting rule trace even when option Restrict browser session to IP address of user is enabled
WP-4954 Passive FTP is are working as expected now in a HA Proxy setup through Haproxy.
WP-4985 An HTTP2 issue related to a wrong value for connection level flow control has been fixed.
WP-5010 TCP half-close support for TCP and SOCKS proxies to access an application works without issues.
WP-5018 Version discrepancy of DLP system lists no longer occurs after updating SWG 10.2 to 11.2.
WP-5070 A high client connection issue related to URL parsing has been fixed.
WP-5111 SaaSConnectors are syncing again.

Other      

Reference Description
WP-4491 Issue related to LinkedIn video upload with HTTP2 is now fixed.
WP-4664 Update Webgateway to point from existing McAfee based GTI domains to newly migrated GTI domain (swg.repl.gti.trellix.com).
WP-4667 Users can join a Zoom meeting via browser when the waiting room option is enabled.
WP-4724 SWG UI login issue while using Client Certificate for Authentication does not occur anymore.
WP-4944 Restore backup are working as expected now, which had happened due to duplicate ID that had been assigned to configuration file.
WP-5024 The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again.
WP-5074 A core crash issue with the NativeBrowserCA feature has been resolved.
WP-5081 An option to configure addition of X cache headers is added to proxy control configuration
WP-5109 All the logs are rotated as per Log Manager Configuration.

 

Vulnerabilities Fixed       

Reference Description
WP-4996, WP 4999,
WP-5050, WP-5101

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-40674
  • CVE-2023-0214
  • CVE-2022-21626,
    CVE-2022-21628,
    CVE-2022-21619,
    CVE-2022-21624
  • CVE-2022-3550,
    CVE-2022-3551

Resolved Issues in the 12.0 Release 

This release resolves known issues.

NOTE: Secure Web Gateway 12.0 is provided as a controlled release.      

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Network communication      

Reference Description
WP-4835 Exceptions that had been entered in the Port Redirection table based on IP addresses are working as expected for the Transparent Bridge mode.

Other      

Reference Description
WP-4465 Tomcat has been upgraded from version 7.x to version 9.x
WP-4599 User can decide which action to be taken when a certificate error occurs.
WP-4767 Resolved SWG not processing traffic issue when used along with HSM , due to threads hanging in critical section lock.
WP-4850 SWG extracts the X-SWEB-CustomerId header and checks if it matches the customerId configured in UCE hybrid settings.
WP-4874 A new property is provided that allows you to log the IP addresses of next-hop proxies in the logging cycle on Secure Web Gateway.
WP-4887 Opening a document of the application/postscript media type no longer results in false as a value for the MediaTypeHasOpener property after this media type was added to the list of media types than can be handled by the File Opener on Secure Web Gateway.
WP-4935 The version check fails no longer when new kernel are released.
WP-4937 A failure of the SaaS Connector on Secure Web Gateway does not occur anymore.
WP-4945 A memory leak in ICAP client has been fixed.

Vulnerabilities Fixed    

Reference Description

WP-4723, WP-4733, WP-4762, WP-4766, WP-4781, WP-4834, WP-4841, WP-4871, WP-4949, WP-4950, WP-4951

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-24903 - There is no impact on SWG because as it is not
    configured to be a receiver by default.
  • CVE-2022-2068 - There is no impact. Affected script is not shipped by
    default on customer instances.
  • CVE-2022-34914 - There is a critical impact. Immediate upgrade is
    strongly recommended.
  • CVE-2022-1271 - There is a moderate impact on SWG since it
    requires CLI access to the instance to be exploite
  • CVE-2022-2097 - There is a Low impact, since vulnerability only
    affects 32bit implementation and does not affect TLS.
  • CVE-2020-26116 - There is no impact on SWG, since Python is not in
    use for normal SWG functioning.
    CVE-2020-26137
    CVE-2022-03
  • CVE-2022-34169 - There is no impact. SWG does not load untrusted
    code.
    CVE-2022-25647
    CVE-2022-21541
    CVE-2022-21540
    CVE-2022-21549
  • CVE-2022-37434 - Low impact, needs physical system access for
    successful exploitation.
  • CVE-2022-31676 - 
  • CVE-2022-29154 - There is no impact.CVSS score is high but it’s not a part of MWG main functionality
  • CVE-2022-2319 - Low impact, on SWG because xvfb is only used by Webswing, and webswing is not controlled externally.
    CVE-2022-2320 

For more information about these CVEs and their impact, see the Red Hat CVE portal.

 

  • Was this article helpful?