Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 12.2.6 Release Notes

New Features in the 12.2 Release    

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

Rebranding to Account for Transition    

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security    

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG   

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files  

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files. 

InsecureNetlogon   

Insecure NETLOGON channel is blocked by default to explicitly allow Insecure NETLOGON,  a new checkbox is provided in Windows Join Domain Dialogue. For more details, see InsecureNetlogon 

TCP Health Check   

Prior to this features, SWG would send live traffic to Next Hop Proxies to determine its health which resulted in delayed response in case Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding   

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding

Connect Response Based on HTTP-Protocol  

Connection Established response message always shows HTTP1.0 even if the HTTP Protocol header of the request was HTTP1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established Response text based on the HTTP Protocol version received.   For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support to pipelined application/HTTP  

A new media type has been added to media type filtering for detection and Openers for pipelined Application/HTTP. 

New Properties for Multiline Base64  

To support the multiline Base-64, new properties are added in SWG

Support for kdbx-kdb-Filetype  

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client certificate authentication for HTML UI  

Client certificate authentication is now added for the HTML UI, For more details, see Client Certificate Authentication for HTML UI.

Configurable size limit of single XML attributesEdit section 

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

What's New in Update 12.2.6 

DNS Health Check 

SWG operations rely heavily on stable DNS connectivity to access servers on the web. Within the SWG Management console, administrators have the option to configure three DNS servers (Primary, Secondary, Tertiary). For more details see DNS Health Check

PAM RADIUS Solution for Non-Native SWG Users

Existing SWG installations rely on the PAM RADIUS module to authenticate SSH users against the Radius Server.  

It is important to understand, that the sequence of Authentication involves comparison of User information against 2 types of Databases.

  • Local Linux User Accounts
  • Radius Directory Lookup (due to PAM Radius Module) 

For more details, see PAM RADIUS Solution for Non-Native SWG Users

Resolved Issues in the 12.2.6 Release     

This release resolves known issues.

NOTE: Secure Web Gateway 12.2.6 is provided as a main release.    

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-4284 SWG is now detecting a close_notify alert while checking for ConnectionStillOk after reading the response header.
WP-5416 DNS health check is now supported in SWG. 
WP-5541 The Next Hop Proxy List now features a checkbox enabling TCP health checks for a specific host and port, which is automatically pushed to the Configuration->Cluster->Health Check configuration.
WP-5902 Secure NHP to cloud will normalize URIs as per RFC3986 section 3.2.3
WP-5958 Support for non Local Users in SWG PAM Radius is now available. 
WP-5998 An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved.
WP-6023 The list entries restore the backup file where the system list has the same list name and different javaID.
WP-6038 The password protected 7z file is now getting detected without any issues.
WP-6052 New time zone for Kazakhstan can be seen when we upgrade tzdata package version to 2024a-1
WP-6074 HTTP2 Data trickling is working normally during the scan process.

 

Vulnerabilities Fixed    

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

 Reference CVE  Description

 

WP-6015 

 

CVE-2023-6816 A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
CVE-2024-0229 An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
CVE-2024-0408 A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
CVE-2024-0409  A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
CVE-2024-21885  A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.
 
CVE-2024-21886 A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.

 

For resolved issues on the previous releases and other information, see Secure Web Gateway 12.2.x Release Notes