Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 10.2.27 Release Notes

What's new in the 10.2 release 

Releases can introduce new features and enhancements or update platform support.

Improvements for Proxy HA mode 

Several options are now available that allow for improved performance and handling when running Secure Web Gateway in Proxy High Availability (Proxy HA) network mode.

  • An inactivity timeout, a load balancing algorithm, and sticky sessions can be configured, as well as egress IP addresses to increase the number of simultaneously active connections to cluster nodes scanning web traffic.
  • Filtering traffic coming in under the SOCKS protocol is supported.

For more information, see the Proxy HA mode section of the Secure Web Gateway Product Guide.

More protocol versions for secure ICAP 

Different versions of the TLS and SSL protocols can now be selected when running Web Gateway in a secure ICAP server configuration.

For more information, see the ICAP server section of the Secure Web Gateway Product Guide.

Property for troubleshooting ATD issues 

The Antimalware.MATD.Error.MessageDetails string-type property has been added to the list of properties for use in web security rules. It provides details of an Advanced Threat Defense error message, such as timeouts, missing values, or network problems.

For more information, see the Properties - A section of the Secure Web Gateway Product Guide.

More media types detected 

More media types are detected by the functions for media type filtering on Web Gateway, including:

  • Visio files with the following extensions: vsdm, vsdx, vssm, vssx, vstm, vstx
  • CAD files
More efficiency in internal processing 
  • Several internal processes have been improved on Web Gateway as follows.
  • For users working with the WebSwing version of the user interface, the individual IP addresses of their client systems are recorded in the audit log when requests come in from these clients. The common address is no longer in use here.

This address had been logged for all users due the role as a remote desktop that WebSwing took from the point of view of the Java user interface.

A commercial WebSwing version has also been implemented to overcome some limitations of the open source versions.

  • More efficient methods of identifying customers, clients, and connections involved in issues that occurred are now used when reading core files stored in a temp folder.
  • Some enhancements have been implemented for the consistency checking tool, which identifies unused settings and lists on Web Gateway.
  • The feedback file that is evaluated on the master node in a cluster of Web Gateway appliances now provides the current version of the appliance software for each cluster node.
  • Processing lists with entries in Regex format performs better due to an improvement of the diagnostic tool.

What's new in update 10.2.1 

This release introduces several enhancements.

SmartMatch optimization 

Performance has been optimized for SmartMatch lookups by improving the way lists are handled when searching for matches.

Kerberos authentication with improved logging 

When the Kerberos authentication method is used, error logging has been improved, for example, by writing client IP addresses in the log.

Handling of HTTP2 statistics improved 

HTTP2 statistics, which are also shown on the Secure Web Gateway dashboard, are provided under the Simple Network Management Protocol (SNMP) to be read by an external SNMP manage poll.

Known Issues and Workaround

For a list of issues that are currently known, see SWG 10.x.x Known Issues and Workaround

Resolved issues in update 10.2.27 

This release resolves issues.


  • This release updates few of the FQDN used by SWG for GTI communication and Update Server communication to new Skyhigh FQDN's. Depending on features currently used by customer, post upgrade some manual changes may be required for uninterrupted service. Please refer to Migration to Skyhigh FQDN before upgrade. 
  • Secure Web Gateway 10.2.27 is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

The JIRA issue number is provided in the reference column. 

Reference Description
WP-5476 A McAfee copyright notice that was still shown when information about an ePO extension package was provided on the user interface for Secure Web Gateway has been removed.
WP-5740 Update SWG with new Icons for consistent branding.
WP-5767 Pdf opener does not crash anymore. 

Vulnerabilities Fixed    

Reference Description
WP-5815, WP-5834

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

    CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle]( If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
  • CVE-2023-42795: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
  • Was this article helpful?