Secure Web Gateway 11.2.27 Release Note

New Features in the 11.2.x Release

Below is a consolidated list of new features available across the different 11.2.x releases. For issues resolved as part of this release please see the Resolved Issue section

NOTE: Secure Web Gateway 11.2 is provided as a main release.

For information about how to install this release, see Upgrading to a new version – Main Release. If you are installing the Secure Web Gateway appliance software for the first time, see Installing Secure Web Gateway for the First Time.

New Properties for Web Policy Rules

When configuring rules for your web policy, you can use these new items:

A new property to expose encrypted archive directory listings.
A new property to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.

GTI Data Included in Feedback File

Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.

Support for Rolling TCPdump collection

Support for rolling TCPdump collection option is now available in the UI. For more details, see Create a packet tracing file. For more details on Performing Packet Tracing in Secure Web Gateway, see Performing Packet Tracing in Secure Web Gateway SWG

More Flexibility for HTTP Proxy Port Configuration

When configuring an HTTP Proxy Port, you can disable the Enable FTP over HTTP option. The option is enabled by default.

SSL Tap Configuration Enhanced

The following enhancements have been added to SSL Tap configuration:

The destination port number is not overwritten by default when tapped packets are created.
The destination MAC address can be customized when tapped packets are broadcast.
SSL tapping now supports HTTP2 on Secure Web Gateway.

Detection of Excel 4 Macros Added

Excel 4 macros are now detected in media type filtering.

IP Spoofing Supported for HTTP(S) in Proxy Configuration

IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

What's new in update 11.2.27

Enhancements introduced in this release are as follows

Kernel Upgrade

SWG Kernel has been updated from 4.19.256 to 4.19.319.

Support for Detection of New Media Types

SWG now supports the detection of both the UDF (Universal Disk Format) file (application/x-iso-udf-image) and the DICOM (application/dicom) media type.

Known Issues and Workaround

For a list of issues that are currently known, see SWG 11.x.x Known Issues and Workaround

Resolved Issues in the 11.2.27 Release

NOTE: Secure Web Gateway 11.2.27 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

The list of resolved issues is mentioned below

JIRA issue numbers are provided in the reference columns.

Reference	Description
WP-6079	Text extraction in PDF Opener has been improved
WP-6206	Outbound override previously worked consistently only with VIPs; it now works with all types of IP addresses
WP-6386	A core crash was observed when SNHP was configured with the Proxy Style Request option disabled; this issue has now been resolved.
WP-6391	When you drag and drop a message from Outlook to your desktop, it was previously scanned and showed a BodyisCorrupted error. Now, the file is no longer showing as corrupted, and the scan indicates that no malware was found.

Vulnerabilities Fixed

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

Reference	CVE	Description
WP-6374	CVE-2023-35001	Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
	CVE-2023-35788	An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
	CVE-2023-4206	A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old example in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecafl3c8.
	CVE-2023-4207	A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.
	CVE-2023-4208	A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
	CVE-2023-45871	An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.
	CVE-2023-4622	A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
	CVE-2023-4921	A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
WP-6394	CVE-2024-3248	Less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, which is set by default in many common cases.
WP-6396	CVE-2024-7264	Libcurl's ASN1 parser code has the 'GTime2str()' function, used for parsing an ASN.1 Generalized Time field. If given a syntactically incorrect field, the parser might use -1 for the length of the time fraction, leading to a 'strlen()' getting performed on a pointer to a heap buffer area that is not (purposely) null-terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](http://curl.se/libcurl/c/CURLINFO.html) is used.

For resolved issues on the previous releases and other information, see Secure Web Gateway 11.2.x Release Notes