Secure Web Gateway 12.1.x Release Notes

New Features in the 12.1 Release

Configure Proxy Control X-Cache Header

A configurable option is now available to either add or remove the Proxy Control X-Cache header in the response. The new setting is located at Policy > settings > proxy control, and the checkbox is called Override X-Cache Header. The setting is enabled by default. For more details, Configure the X-Cache Header in the Response.

TCP Half Close support for TCP Proxy and SOCKS Proxy

TCP Half Close refers to a TCP connection that is half-closed. So if one participant in a TCP connection has initiated FIN in one direction, then it can still receive data from another participant until the second FIN is received from the other direction. TCP Half Close support is provided for SWG acting as TCP Proxy or SOCKS Proxy. For details, see TCP Half Close for TCP or SOCKS Proxy.

Configure Separate Passwords for SNMPv3 Auth and Encryption

You can now configure separate passwords for Authentication and Encryption for the SNMPv3 messages. For details, see Configure Event Monitoring with SNMP.

Return To Sender

This feature allows outgoing traffic of SWG to skip default kernel routing. Each reply packet going out

will have same source mac as destination mac in the request packet.
will have same destination mac as source mac in the request packet.
If the reply going out on different interface it came from, the reply will be redirected to the same interface on which the request came from.

MediaType Detection for InDesign Files

Media Type can detect InDesign INDD and INDT files and templates. For these file types, the MediaType.EnsuredTypes property contains application/x-indesign. For details, see Media Type Detection for InDesign.

Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Resolved Issues in the 12.1.5 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.5 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Reference	Description
WP-5338	There is now an option to configure chunk encoding of traffic that is sent to a server.
WP-5419	When the authentication process on Secure Web Gateway uses the basic NTLM authentication method, adding the default domain of the NTLM authentication server to the settings, no longer leads to a failure of the process.
WP-5497	When regex terms are created for the filtering process on Secure Web Gateway, dereferencing of the null pointer does not occur anymore.
WP-5501	Anti-malware filtering on Secure Web Gateway no longer attempts to access a transaction again that has already been processed and completed.

Resolved Issues in the 12.1.4 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.4 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Reference	Description
WP-4517	A new media type has been added to media type filtering to cover requests where pipelined application/http traffic is involved.
WP-4952	Rules that include multiple conditions with multiple IP addresses are shown correctly now.
WP-5261	Enhanced media type detection for SVG files.
WP-5281	A signature has been added for detecting the .one and .onepkg media types.
WP-5361	When using SmartMatch the path component in an URL will now be matched in a case insensitive manner.
WP-5365	Read-only users are now able to switch to the network interface and read the information.
WP-5367	Media type detection has been enhanced for the EML file type.
WP-5376	When a download is performed on Web Gateway Cloud Service (WGCS) under the HTTP2 protocol, use of a progress page to show download progress no longer causes the download to fail.
WP-5377	An ENV variable has been introduced to disable ARP on interfaces where V4 is marked as disabled.
WP-5388	When an EICAR file with a test virus is embedded in a .docx file, it is extracted now and sent to the Gateway Anti-Malware (GAM) engine for scanning.
WP-5393	When data trickling is enabled, response data created under the HTTP2 protocol is completely sent to the client again.
WP-5398	When the value of the acknowledgement number field for the SSL tap is not zero, the ACK flag is set now.
WP-5461	Improved performance behaviour under heavy load situations.
WP-5462	UI login issues when large inline list is involved has been fixed.

Vulnerabilities Fixed

Reference

Description

WP-3575, WP-5369,
WP-5387, WP-5409, WP-5425

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2020-15522
CVE-2022-42252
CVE-2023-21930
CVE-2023-1393
CVE-2023-0767

Resolved Issues in the 12.1.3 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.3 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Reference	Description
WP-5084	UI: fixed toggle button "Ignore certificate errors" in Customer Maintained list’s Setup Dialogue box.
WP-5264	Uploading a file with chunked encoding format works without problems again.
WP-5270	An issue with downloading RTF files that led to a blocking of the download has been resolved.
WP-5295	A new media type has been added to media type filtering to detect files of the kdbx and kdb types.
WP-5300	An issue with synchronizing AgentPeer socket read/write has been resolved.
WP-5304	Secure Web Gateway reports statistics information as expected, which had not worked before due to an issue with the database lock status.

Vulnerabilities Fixed

Reference

Description

WP-4958,WP-5049,
WP-5260,WP-5274,WP-5322, WP-5323

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-38177
CVE-2022-1552
CVE-2022-4883
CVE-2022-4304,
CVE-2023-0215,
CVE-2022-4450,
CVE-2023-0286
CVE-2022-37434
CVE-2022-23521,
CVE-2022-41903

Resolved Issues in the 12.1.2 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.2 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Reference	Description
WP-5172	JSP files are not interpreted anymore but delivered as text without additional processing except pre-compiled JSP pages.
WP-5177	Correct MediaType Detection for application/x-git.
WP-5205	REST Interface access to System files without required Permissions has been fixed.
WP-5224	Bad gateway error while visiting some HTTP2 websites has been resloved.
WP-5239	Memory management optimizations are made for the HTTP2 SSL tap feature.
WP-5241	The upgrade from 12.1.0 to 12.1.1 was failing due to ebpf, which has now been resolved as part of this issue.
WP-5256	Webswing has been upgraded from version 20.1.16 to version 20.2.21 LTS.
WP-5265	The maximum configurable value of ‘Connection timeout’ is now 99999 seconds in ‘Enable Proxy Control’ event.

Vulnerabilities Fixed

Reference

Description

WP-5165,
WP-5273

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-3550,
CVE-2022-3551
CVE-2022-4304,
CVE-2023-0215,
CVE-2023-0286

Resolved Issues in the 12.1.1 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.1 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Upgrade from 12.1.0 to 12.1.1

yum install kernel --downloadonly --downloaddir=/root/
rpm -i --force kernel-4.19.256-3.2.mlos3.mwg.x86_64.rpm
mwg-switch-repo 12.1.1
yum upgrade yum
yum upgrade
reboot

SWG Release version 12.1.0 was rolled back due to an identified performance Issue. Therefore, the List of Issues fixed in the aforementioned Version is available as resolved in the Current Release Version.

Reference	Description
WP-5067	Sub rule sets are no longer deleted when importing a rule set via REST API.
WP-5108	Core dump issue related NHP and connection timeout has been fixed.
WP-5170	Parallel events can be handled again properly when the rule engine on Secure Web Gateway is called from a temporary proxy process transaction.
WP-5186	Fixed the following scenarios when secure NHP is used for plain HTTP requests: If multiple NHP’s are configured and TLS handshake or certificate verification fails, then next nhp in the list is not tried. If multiple requests are received over persistent client connection, then SWG switches to switches to non-secure NHP when server sends close notify alert.
WP-5225	When mirroring decrypted traffic with the SSL Tap feature, the source and destination IP addresses are not reversed.
WP-5226	Fixed performance and slowness issues caused due to an update in Kerberos package.

Vulnerabilities Fixed

Reference

Description

WP-5164

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2023-22809

Resolved Issues in the 12.1.0 Release

This release resolves known issues.

NOTE: Secure Web Gateway 12.1.0 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

JIRA issue numbers are provided in the reference columns.

Web filtering

Reference	Description
WP-2217	The PDF opener now also supports PDFs with versions 2.0.
WP-4536	Client IP or URL to be logged with Kerberos error messages, when authentication logs are enabled.
WP-4859	File previously not getting detected as TTF gets detected correctly as TTF now.
WP-4934	Long list names used when configuring Secure Web Gateway web policy rules are rendered completely in rule sets.
WP-4966	The file opener does not crash anymore when used to parse rtf documents.
WP-4981	Block page now shows URL and category, which was missing after transitioning from coaching block page to URL blocked page
WP-4992	A new media type has been added to detect InDesign documents and templates.
WP-4998	The file opener now supports tar files with pax headers.
WP-5076	The PDF opener function for detecting JavaScript has been improved.

Network communication

Reference	Description
WP-4064	SWG now supports to have different username & password for SNMPv3 Auth and Encryption.
WP-4360	Cluster sync for PDstorage data is not filling up in the provided path /opt/mwg/temp anymore.
WP-4557	No error was found when selecting rule trace even when option Restrict browser session to IP address of user is enabled
WP-4954	Passive FTP is are working as expected now in a HA Proxy setup through Haproxy.
WP-4985	An HTTP2 issue related to a wrong value for connection level flow control has been fixed.
WP-5010	TCP half-close support for TCP and SOCKS proxies to access an application works without issues.
WP-5018	Version discrepancy of DLP system lists no longer occurs after updating SWG 10.2 to 11.2.
WP-5070	A high client connection issue related to URL parsing has been fixed.
WP-5069	SWG now supports different passwords for authentication and encryption
WP-5111	SaaSConnectors are syncing again.

Other

Reference	Description
WP-4491	Issue related to LinkedIn video upload with HTTP2 is now fixed.
WP-4664	Update Webgateway to point from existing McAfee based GTI domains to newly migrated GTI domain (swg.repl.gti.trellix.com).
WP-4667	Users can join a Zoom meeting via browser when the waiting room option is enabled.
WP-4724	SWG UI login issue while using Client Certificate for Authentication does not occur anymore.
WP-4840	Update of the CRLs is working normal.
WP-4944	Restore backup are working as expected now, which had happened due to duplicate ID that had been assigned to configuration file.
WP-4988	Files are no longer blocked as corrupted
WP-5020	Core does not crash anymore.
WP-5024	The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again.
WP-5074	A core crash issue with the NativeBrowserCA feature has been resolved.
WP-5081	An option to configure addition of X cache headers is added to proxy control configuration
WP-5109	All the logs are rotated as per Log Manager Configuration.

Vulnerabilities Fixed

Reference

Description

WP-4996, WP-4999
WP-5050, WP-5100, WP-5101

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2022-40674
CVE-2023-0214
CVE-2022-21626,
CVE-2022-21628,
CVE-2022-21619,
CVE-2022-21624
CVE-2022-42898
CVE-2022-3550,
CVE-2022-3551