Skip to main content

Welcome to Skyhigh Security!

Skyhigh Security

Skyhigh Security Cloud Known and Resolved Issues 6.0.1 (May 2022)

Skyhigh CASB

Resolved Issues

Reference Description
May 10, 2022 When running the ODS Scan for OneDrive, the scan is auto paused, and the status of the scan does not proceed from the initializing phase due to a large user base which results in rate-limiting. The scan restarts and fetches the root folders from the beginning if there is an error during the initialization phase. This issue has been fixed by adding a feature flag to change the logic of fetching root folders from the ODS crawler phase instead of the initialization phase. To enable this feature flag, contact Skyhigh CASB Support for assistance.

Skyhigh Private Access

Resolved issues

Reference Description
PAC-1545 Instead of FQDN, the hostname of the VM (RHEL/ Ubuntu)  is now used to update the POP name in the Skyhigh CASB.

Known issue

Reference Description
PAC-1363 When you see cwpp-pop-manager pod is in a CrashLoopBackOff state, then it is due to the DNS resolution errors.
Workaround:  Add the private DNS server to the cwpp-connector pod.
  1. Run kubectl get pods -n cwppto get the name of the cwpp-connector pod.
    Copy the name of the cwpp-connector pod.

  2. Run kubectl exec -it <cwpp-connector-podname> -n cwpp bashto login to the cwpp-connector pod.
  3. Add the private DNS server to the pod.
    1. Edit /etc/resolv.conf.
    2. Add private DNS IP to the list of nameservers as nameserver <DNS server IP>.
    3. Exit the pod.
  4. List pods and verify kubectl get pods -n cwpp
    The pop-manager pod will be in the completed state in the next few minutes – within 5 minutes.
  5. Verify that the pop is displayed in the healthy status in the Skyhigh Security UI. 

 

Skyhigh Secure Web Gateway (On-Prem)

Resolved issues in 11.0.2

This release resolves known issues.

NOTE: Secure Web Gateway 11.0.2 is provided as a controlled release.           

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

The JIRA issue number is provided in the reference column.

Vulnerabilities 

Reference Description
WP-4355 This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher level CVEs (CVSS 3.0 >= 4) were involved:
  • CVE-2021-44228
  • CVE-2021-45046
For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in 11.0.1

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.1 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column.

Web filtering 

Reference Description
WP-4158 The time consumed during a transaction can be retrieved again as a value for the Timer.TimeInTransaction property when Secure Web Gateway is running as a proxy under TCP or the SOCKS protocol.

Other 

Reference Description
WP-3247 The mcelog service will only be enabled on physical appliances now and will remain disabled on virtual appliances.

Resolved issues in 11.0

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.x s provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column. 

Network communication 

Reference Description
WP-1455 POST commands run while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-3637 When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.
WP-3810 When a director node is not working as a scanner in a Proxy High Availability (Proxy HA) configuration, the proxy on Secure Web Gateway listens to other scanning nodes again.
WP-4073 When using the IP Neigh network tool for troubleshooting on a Secure Web Gateway appliance with an HTML-based user interface, bindings between protocol and link layer addresses are displayed again.

Authentication 

Reference Description
WP-3637 When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.

Web filtering 

Reference Description
WP-3072 Only errors relating to the user interface are logged in the mwg.ui.errors log, whereas unexpected errors, such as error 143 and others, are not logged anymore.
WP-3658 When uncategorized URLs are blocked, events are successfully synchronized for two Trusted Source properties, which had not worked properly before, as an unexpected event had been added.
WP-3663 When running Advanced Threat Defense (ATD) to scan web traffic, a previous detection of malware can be reused, which had not worked for a zip file due to incorrectly querying md5 information.
WP-3751 Upgrade packages for Secure Web Gateway can be downloaded, which had not been possible because the PGP key files inside these packages were blocked as encrypted media types.
WP-3811 Requests to retrieve CRL and OSCP information about the status of certificates used for secure communication are forwarded, which had not worked in a next-hop proxy chain with two Secure Web Gateway appliances.
WP-3904 Infinite loops that were created on some occasions when zip archives were scanned, causing threads to hang and resulting in problems with high CPU and memory load, do no longer occur.

Other 

Reference Description
WP-2686 Documents containing Austrian IBAN numbers are detected with the Data Loss Protection (DLP) functions on Secure Web Gateway even if spaces between number groups are omitted.
WP-3951 An issue that caused the core process on a Point-of-Presence (PoP) for Secure Web Gateway to fail has been resolved.
WP-3998 An issue that caused the core process on Secure Web Gateway running as a node in a cluster to fail has been resolved.
WP-4010 The latest KVM build for the Oracle Cloud Infrastructure (OCI) that Secure Web Gateway runs with can be downloaded again.
WP-4022 The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again.
WP-4043 Admins can log on to the Secure Web Gateway user interface again from external accounts.

Vulnerabilities 

Reference Description

WP-3468, WP-3580,

WP-3656, WP-3765,

WP-3792, WP-3806,

WP-3815, WP-3878,

WP-3882, WP-3934,

WP-3935, WP-3936,

WP-3999, WP-4003,

WP-4021, WP-4058,

WP-4067, WP-4203

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2016-3674
  • CVE-2017-7957
  • CVE-2017-11610
  • CVE-2019-10208,
  • CVE-2020-15250
  • CVE-2020-24489
  • CVE-2020-25111, CVE-2020-25112, CVE-2020-25113, CVE-2020-25648, CVE-2020-25649, CVE-2020-25694, CVE-2020-25695
  • CVE-2020-26217
  • CVE-2021-2369, CVE-2021-2388
  • CVE-2021-3472
  • CVE-2021-3520
  • CVE-2021-3711, CVE-2021-3712
  • CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351
  • CVE-2021-22876, CVE-2021-22890, CVE-2021-22901
  • CVE-2021-25214, CVE-2021-25217
  • CVE-2021-27219
  • CVE-2021-30640
  • CVE-2021-31535
  • CVE-2021-32027
  • CVE-2021-33909

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Skyhigh Client Proxy

Resolved issues in 4.4.0

Reference Issue Description
MCP-4539 Entering incorrect release code no longer crashes the Client Proxy console. (Mac only)
MCP-4730 The connection to private applications based on the RDP protocol failed when configured by using the IP address. This issue is now resolved. (Windows only)
MCP-4809 After rebooting the system, Client Proxy now displays the policy name in the System information header correctly.   
MCP-4893 Client Proxy on-premise extension now saves the changes made to the policy and generates the revision ID correctly.  
MCP-4916 Client Proxy now redirects the traffic and automatically loads the system extensions. (Mac only)
MCP-4917 Client Proxy lost network connectivity after updating the macOS. This issue is now resolved.
MCP-4918, MCP-4919, MCP-4920 Client Proxy now instantly connects to the proxy server after rebooting the system. (Mac only)

 

  • Was this article helpful?