Skyhigh Security Cloud Known and Resolved Issues 6.0.1 (May 2022)

Skyhigh CASB

Resolved Issues

Reference	Description
May 10, 2022	When running the ODS Scan for OneDrive, the scan is auto paused, and the status of the scan does not proceed from the initializing phase due to a large user base which results in rate-limiting. The scan restarts and fetches the root folders from the beginning if there is an error during the initialization phase. This issue has been fixed by adding a feature flag to change the logic of fetching root folders from the ODS crawler phase instead of the initialization phase. To enable this feature flag, contact Skyhigh CASB Support for assistance.

Reference

Description

May 10, 2022

When running the ODS Scan for OneDrive, the scan is auto paused, and the status of the scan does not proceed from the initializing phase due to a large user base which results in rate-limiting. The scan restarts and fetches the root folders from the beginning if there is an error during the initialization phase. This issue has been fixed by adding a feature flag to change the logic of fetching root folders from the ODS crawler phase instead of the initialization phase. To enable this feature flag, contact Skyhigh CASB Support for assistance.

Skyhigh Private Access

Resolved issues

Reference	Description
PAC-1545	Instead of FQDN, the hostname of the VM (RHEL/ Ubuntu) is now used to update the POP name in the Skyhigh CASB.

Known issue

Reference Description

PAC-1363

Reference	Description
PAC-1363	When you see cwpp-pop-manager pod is in a CrashLoopBackOff state, then it is due to the DNS resolution errors. Workaround: Add the private DNS server to the cwpp-connector pod. Run `kubectl get pods -n` `cwpp`to get the name of the cwpp-connector pod. Copy the name of the cwpp-connector pod. Run `kubectl exec -it <cwpp-connector-podname> -n cwpp` `bash`to login to the cwpp-connector pod. Add the private DNS server to the pod. Edit `/etc/resolv.conf.` Add private DNS IP to the list of nameservers as `nameserver <DNS server IP>.` Exit the pod. List pods and verify `kubectl get pods -n cwpp` The pop-manager pod will be in the completed state in the next few minutes – within 5 minutes. Verify that the pop is displayed in the healthy status in the Skyhigh Security UI.

When you see cwpp-pop-manager pod is in a CrashLoopBackOff state, then it is due to the DNS resolution errors.
Workaround: Add the private DNS server to the cwpp-connector pod.

Run kubectl get pods -n cwppto get the name of the cwpp-connector pod.
Copy the name of the cwpp-connector pod.
Run kubectl exec -it <cwpp-connector-podname> -n cwpp bashto login to the cwpp-connector pod.
Add the private DNS server to the pod.
1. Edit /etc/resolv.conf.
2. Add private DNS IP to the list of nameservers as nameserver <DNS server IP>.
3. Exit the pod.
List pods and verify kubectl get pods -n cwpp
The pop-manager pod will be in the completed state in the next few minutes – within 5 minutes.
Verify that the pop is displayed in the healthy status in the Skyhigh Security UI.

Skyhigh Secure Web Gateway (On-Prem)

Resolved issues in 11.0.2

This release resolves known issues.

NOTE: Secure Web Gateway 11.0.2 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

The JIRA issue number is provided in the reference column.

Vulnerabilities

Reference	Description
WP-4355	This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers. The following medium and higher level CVEs (CVSS 3.0 >= 4) were involved: CVE-2021-44228 CVE-2021-45046 For more information about these CVEs and their impact, see the Red Hat CVE portal.

Resolved issues in 11.0.1

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.1 is provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column.

Web filtering

Reference	Description
WP-4158	The time consumed during a transaction can be retrieved again as a value for the Timer.TimeInTransaction property when Secure Web Gateway is running as a proxy under TCP or the SOCKS protocol.

Other

Reference	Description
WP-3247	The mcelog service will only be enabled on physical appliances now and will remain disabled on virtual appliances.

Resolved issues in 11.0

This release resolves known issues.

NOTE: Skyhigh Security Secure Web Gateway 11.0.x s provided as a controlled release.

For information about how to upgrade to this release, see Upgrade to a new version provided as a controlled release.

JIRA issue numbers are provided in the reference column.

Network communication

Reference	Description
WP-1455	POST commands run while HTTP tunneling is enabled do not lead to a failure of the core process on Secure Web Gateway anymore.
WP-3637	When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.
WP-3810	When a director node is not working as a scanner in a Proxy High Availability (Proxy HA) configuration, the proxy on Secure Web Gateway listens to other scanning nodes again.
WP-4073	When using the IP Neigh network tool for troubleshooting on a Secure Web Gateway appliance with an HTML-based user interface, bindings between protocol and link layer addresses are displayed again.

Authentication

Reference	Description
WP-3637	When the NTLM authentication method is applied, submitting user names in the User Principal Name (UPN) format does not lead to a failure of the authentication process anymore.

Web filtering

Reference	Description
WP-3072	Only errors relating to the user interface are logged in the mwg.ui.errors log, whereas unexpected errors, such as error 143 and others, are not logged anymore.
WP-3658	When uncategorized URLs are blocked, events are successfully synchronized for two Trusted Source properties, which had not worked properly before, as an unexpected event had been added.
WP-3663	When running Advanced Threat Defense (ATD) to scan web traffic, a previous detection of malware can be reused, which had not worked for a zip file due to incorrectly querying md5 information.
WP-3751	Upgrade packages for Secure Web Gateway can be downloaded, which had not been possible because the PGP key files inside these packages were blocked as encrypted media types.
WP-3811	Requests to retrieve CRL and OSCP information about the status of certificates used for secure communication are forwarded, which had not worked in a next-hop proxy chain with two Secure Web Gateway appliances.
WP-3904	Infinite loops that were created on some occasions when zip archives were scanned, causing threads to hang and resulting in problems with high CPU and memory load, do no longer occur.

Other

Reference	Description
WP-2686	Documents containing Austrian IBAN numbers are detected with the Data Loss Protection (DLP) functions on Secure Web Gateway even if spaces between number groups are omitted.
WP-3951	An issue that caused the core process on a Point-of-Presence (PoP) for Secure Web Gateway to fail has been resolved.
WP-3998	An issue that caused the core process on Secure Web Gateway running as a node in a cluster to fail has been resolved.
WP-4010	The latest KVM build for the Oracle Cloud Infrastructure (OCI) that Secure Web Gateway runs with can be downloaded again.
WP-4022	The rsyslog daemon had kept the /var/log/haproxy/ haproxy-info_1.log file open until all disk space had been filled up on a Secure Web Gateway appliance. This has been fixed now and log rotation works fine again.
WP-4043	Admins can log on to the Secure Web Gateway user interface again from external accounts.

Vulnerabilities

Reference

Description

WP-3468, WP-3580,

WP-3656, WP-3765,

WP-3792, WP-3806,

WP-3815, WP-3878,

WP-3882, WP-3934,

WP-3935, WP-3936,

WP-3999, WP-4003,

WP-4021, WP-4058,

WP-4067, WP-4203

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.

The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

CVE-2016-3674
CVE-2017-7957
CVE-2017-11610
CVE-2019-10208,
CVE-2020-15250
CVE-2020-24489
CVE-2020-25111, CVE-2020-25112, CVE-2020-25113, CVE-2020-25648, CVE-2020-25649, CVE-2020-25694, CVE-2020-25695
CVE-2020-26217
CVE-2021-2369, CVE-2021-2388
CVE-2021-3472
CVE-2021-3520
CVE-2021-3711, CVE-2021-3712
CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351
CVE-2021-22876, CVE-2021-22890, CVE-2021-22901
CVE-2021-25214, CVE-2021-25217
CVE-2021-27219
CVE-2021-30640
CVE-2021-31535
CVE-2021-32027
CVE-2021-33909

For more information about these CVEs and their impact, see the Red Hat CVE portal.

Skyhigh Client Proxy

Resolved issues in 4.4.0

Reference	Issue Description
MCP-4539	Entering incorrect release code no longer crashes the Client Proxy console. (Mac only)
MCP-4730	The connection to private applications based on the RDP protocol failed when configured by using the IP address. This issue is now resolved. (Windows only)
MCP-4809	After rebooting the system, Client Proxy now displays the policy name in the System information header correctly.
MCP-4893	Client Proxy on-premise extension now saves the changes made to the policy and generates the revision ID correctly.
MCP-4916	Client Proxy now redirects the traffic and automatically loads the system extensions. (Mac only)
MCP-4917	Client Proxy lost network connectivity after updating the macOS. This issue is now resolved.
MCP-4918, MCP-4919, MCP-4920	Client Proxy now instantly connects to the proxy server after rebooting the system. (Mac only)