Skip to main content
Skyhigh Security

Secure Web Gateway 9.2.x Release Notes

What's new in the 9.2 release

Releases can introduce new features and enhancements or update platform support.

Rule set to run next-hop proxies for cloud use

A rule set is provided on-premise for running next-hop proxies that can be enabled for cloud use.

For more information, see the Next-hop proxies section in the Supporting functions chapter of the Secure Web Gateway Product Guide.

Rule to allow bypassing for MMCS traffic

A new rule has been added to an on-premise rule set that implements bypassing of HTTPS scanning. The rule applies if a connection originates from a mobile system using Secure Web Gateway Mobile Cloud Security (MMCS) and the site that is involved is whitelisted.

For more information, see the HTTPS scanning section in the Web filtering chapter of the Secure  Web Gateway Product Guide.

More media types supported for filtering

To the media types that are detected and can be filtered on Secure Web Gateway have been added:

  • application/dns-message
  • application/step

For more information on media type filtering, see the Media type filtering section in the Web filtering chapter of the Secure Web Gateway Product Guide.

File opener improved

The file opener on Secure Web Gateway shows an improved behavior now with support for TTF fonts in PDF files.

For more information on file opening, see the File opening section in the Supporting functions chapter of the Secure Web Gateway Product Guide.

Transparent Bridge mode restored

After resolving stability issues that had occurred in previous product versions, the Transparent Bridge mode has been restored as an option for setting up Secure Web Gateway in a local network.

For more information, see the Transparent Proxy ... sections in the Proxies chapter of the Secure Web Gateway Product Guide.

Options for CTD removed from user interface

The Tenant Info settings, which could be used to configure Cloud Threat Detection (CDT) on Secure Web Gateway, have been removed from the user interface.

Number of concurrent client connections increased on WBG-5xxx-D appliances

Secure Web Gateway has been improved to handle an increased number of concurrent connections on one appliance. This adds to the value of the appliance through better scalability.

The increase applies to a standard configuration where the solution known as normal forward proxy runs on Secure Web Gateway. It does not apply when you have set up, for example, a High Availability (HA) proxy solution.

The following increase has been measured:

  • WBG-5000-D could handle 10% more client connections, resulting in 55,000 concurrent connections
  • WBG-5500-D could handle 101% more client connections, resulting in 100,500 concurrent connections

For more information, see the Advanced settings (for proxies) section in the Proxies chapter of the Secure Web Gateway Product Guide.

New administrator roles for use in troubleshooting

New role options have been implemented for administrators who perform troubleshooting on Secure Web Gateway.

For more information, see the Administrator role settings section in the Administrator accounts chapter of the Secure Web Gateway Product Guide.

Monitoring of response times on GTI server connections

When queries are sent from a Secure Web Gateway appliance to a Secure Web Gateway appliance to a Global Threat Intelligence (GTI) server to retrieve information about URL categories and reputation scores, response times can be monitored.

Log messages are written when response times increase as well as when they return to normal.

For more information, see the URL Filter settings section in the Web filtering chapter of the Secure Web Gateway Product Guide.

More granular monitoring of system resources

Usage of system resources on a Secure Web Gateway appliance can be monitored in a more granular way using the new - S threads-short command when creating core files for tracing the swg-core process.

When this command delivers output, threads are identified by short names, so excessively CPU consuming threads and other that cause problems can be detected more easily.

ENA adapter supported

The Elastic Network Adapter (ENA) is now supported on Secure Web Gateway for AWS instance types that also support it. This means that a particular kernel-crash dump feature is available for troubleshooting when running Secure Web Gateway on those instance types.

To these have been added the C5 and M5 instance types.

What's new in update 9.2.12

Releases can introduce new features and enhancements.

Enhancements have been introduced as follows in this release.

More efficient handling of WebSwing user interface

For users working with the WebSwing version of the user interface, the individual IP addresses of their client systems are recorded in the audit log when requests come in from these clients. The common 127.0.0.1 address is no longer in use here.

This address had been logged for all users due the role as a remote desktop that WebSwing took from the point of view of the Java user interface.

A commercial WebSwing version has also been implemented to overcome some limitations of the open source versions.

What's new in update 9.2.13

This release introduces several enhancements.

Kerberos authentication with improved logging


When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.

More Visio media types detected

More media types relating to Microsoft Visio can be detected in media type filtering, for example, files with extension VSDX and content type application/vnd.ms-visio.drawing.main+xm or with extension VSTX and content type application/vnd.ms-visio.template.main+xmlmore.

Handling of HTTP2 statistics improved

HTTP2 statistics, which are also shown on the Secure Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.

Resolved issues in update 9.2.25

This release resolves issues.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.25 is provided as a main release and archived.         

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference column.

Web filtering
Reference Description
WP-4578 An issue with eml files, which were getting blocked due to an underscore in the message header, has been resolved.
WP-4922 An issue with high memory usage that occurred with the UCE container on Secure Web Gateway due to an endless loop in excel4 macro media type detection has been resolved.

 

Others     
Reference Description
WP-4465 Tomcat has been upgraded from version 7.x to version 9.x

Announced Vulnerabilities 

Reference Description

WP-3750,WP-4871

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-23307, 
    CVE-2022-23305,
    CVE-2022-23302 
  • CVE-2022-37434 - There is a Low impact, needs physical system access for successful exploitation.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 9.2.24

This release resolves issues.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.24 is provided as a main release and archived.         

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference column.

Other      
Reference Description
WP-4767 Resolved SWG not processing traffic issue when used along with HSM , due to threads hanging in critical section lock.
WP-4839 The AOLE2 Opener used for opening Microsoft Office files does not crash anymore.

Announced Vulnerabilities   

Reference Description

WP-4801, WP-4802, WP-4834, WP-4841

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2020-10663 - There is no impact on SWG. The ruby core of SWG does not use this library to parse/process JSON data, so there is no input vector available for exploitation.
  • CVE-2021-31799 - There is no impact on SWG. Since package is used to generate documentation and is therefore not installed on customer environments.
  • CVE-2020-26116 - There is no impact on SWG, since Python is not in use for normal SWG functioning.
    CVE-2020-26137
    CVE-2022-0391
  • CVE-2022-34169 - There is no impact. SWG does not load untrusted code.
    CVE-2022-25647
    CVE-2022-21541
    CVE-2022-21540
    CVE-2022-21549 

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues and a change in update 9.2.23

This release resolves issues.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.23 is provided as a main release and archived.         

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

Changed   

The Web Hybrid Legacy settings are no longer available for configuring an appliance system.

Resolved issues  

JIRA issue numbers are provided in the reference column.

Web Filtering    
Reference Resolution
WP-4761 Opening zipped files with the 7Zip opener does not fail anymore.
Other     
Reference Resolution
WP-2952 Files can be downloaded and deleted again on the REST interface, which had not been possible due to an issue with troubleshooting rights.
Vulnerabilities      
Reference Resolution

WP-4619, WP-4723, WP-4731, WP-4733, WP-4762, WP-4766, WP-4781 

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-21476 - There is no impact on SWG because no untrusted Java code is loaded.
    CVE-2022-21496
    CVE-2022-21434
    CVE-2022-21426
    CVE-2022-21443
  • CVE-2022-24903 - There is no impact on SWG because as it is not configured to be a receiver by default.
  • CVE-2022-2310 - For Impact details, see Security Bulletin SB10384. 
  • CVE-2022-2068 - There is no impact. Affected script is not shipped by default on customer instances.
  • CVE-2022-34914 -  There is a critical impact.Immediate upgrade is strongly recommended.
  • CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
  • CVE-2022-2097 - There is a Low impact, since vulnerability only affects 32bit implementation and does not affect TLS.

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 9.2.22 

This release resolves known issue.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.22 is provided as a main release and archived.         

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication    
Reference Resolution
WP-3343 IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.
Other    
Reference Resolution
WP-3990 Excel 4 macros are now detected in media type filtering.
Vulnerabilities      
Reference Resolution

WP-4547, WP-4598, WP-4621

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-24407 - There is no impact on SWG since the affected component is not in use. 
  • CVE-2022-1271 - There is a moderate impact on SWG since it requires CLI access to the instance to be exploited.
  • CVE-2022-1292  - There is No impact since SWG does not ship the affected script by default. 
    CVE-2022-1473
    CVE-2022-1434
    CVE-2022-1343

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in update 9.2.21 

This release resolves known issue.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.21 is provided as a main release and archived.         

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication 
Reference Resolution

WP-4646

An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved. 
Other 
Reference Resolution
WP-3772 The PDF opener now also supports PDF versions below 2.0 with AESV3 encryption.
WP-4238 The rule in the script filter rule set that removes ActiveX objects from Javascript is working fine now. 
WP-4351 A table without a header is no longer recognized erroneously as application/x-compressed-arc.
WP-4650 Random f.txt file downloaded on Chrome\Edge browsers do not occur anymore.

Resolved issues in update 9.2.20 

This release resolves known issue.

For a list of currently unresolved known issues, see Secure Web Gateway 9.x Known Issues (KB92141).

NOTE: Secure Web Gateway 9.2.20 is provided as a main release and archived.         

For upgrade information, see the Upgrading to a new version provided as a main release section of the Secure Web Gateway Installation Guide. 

The JIRA issue number is provided in the reference column.

Network communication 
Reference Resolution
WP-4145 POST commands running while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-4541 Processing of cluster messages sent by the Notification plugin that is implementend in the core process has been improved.
WP-4558 When the data threshold of 10 GB is reached on an ICAP connection, the connection is shut down to avoid overload issues.
WP-4559 Memory can be reserved for advance usage while reading messages on Secure Web Gateway, so the length of the response is already known early, which avoids memory reallocation.
Web filtering 
Reference Resolution
WP-4459 File scanning now extracts text from PDFs, which had failed before, as the scanning process went into a loop causing CPU consumption to reach 100%. 
Other 
Reference Resolution
WP-4362 The Secure Web Gateway rule set for file scanning scans nested archives files now that caused issues before. 
WP-4556 Coordinator crashes that led to a shutdown on a Secure Web Gateway appliance do not occur anymore.
WP-4567 The SmartCache default size value has been increased from 100 to 1000 MB.  
WP-4584 Response time for CStorageJob backup and restore activities has been improved. 
Vulnerabilities   
Reference Resolution

WP-4432, WP-4454, WP-4591

 

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2022-23990
  • CVE-2022-23852
  • CVE-2022-45960
  • CVE-2022-22822
  • CVE-2022-22823
  • CVE-2022-22824
  • CVE-2022-22825
  • CVE-2021-46143
  • CVE-2022-22826
  • CVE-2022-22827
  • CVE-2022-25236
  • CVE-2022-25235
  • CVE-2022-25315
  • CVE-2022-1254
  • CVE-2018-25032

For more information about these CVEs and their impact, see the Red Hat CVE portal.

  • Was this article helpful?