Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 11.2.20 Release Note

New Features in the 11.2 Release 

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

NOTE: Secure Web Gateway 11.2 is provided as a main release.

For information about how to install this release, see Upgrading to a new version – Main Release. If you are installing the Secure Web Gateway appliance software for the first time, see Installing Secure Web Gateway for the First Time.

New Properties for Web Policy Rules  

When configuring rules for your web policy, you can use these new items:

  • A new property to expose encrypted archive directory listings.
  • A new property to store the rule and rule set names or IDs that were processed at the end of the request and response filtering cycles.

GTI Data Included in Feedback File  

Data that is collected by the GTI diagnosis script of the operating system is included in the output feedback file.

Support for Rolling TCPdump collection 

Support for rolling TCPdump collection option is now available in the UI. For more details, see Create a packet tracing file. For more details on Performing Packet Tracing in Secure Web Gateway, see Performing Packet Tracing in Secure Web Gateway SWG

More Flexibility for HTTP Proxy Port Configuration  

When configuring an HTTP Proxy Port, you can disable the Enable FTP over HTTP option. The option is enabled by default.

SSL Tap Configuration Enhanced  

 The following enhancements have been added to SSL Tap configuration:

  • The destination port number is not overwritten by default when tapped packets are created.
  • The destination MAC address can be customized when tapped packets are broadcast.
  • SSL tapping now supports HTTP2 on Secure Web Gateway.

Detection of Excel 4 Macros Added  

Excel 4 macros are now detected in media type filtering. 

IP Spoofing Supported for HTTP(S) in Proxy Configuration  

IP spoofing is supported for HTTP(S) when setting up proxies in Explicit Proxy or L2 Transparent mode.

Known Issues and Workaround 

For a list of issues that are currently known, see SWG 11.x.x Known Issues and Workaround

What's New in Update 11.2.20 

DNS Health Check 

SWG operations rely heavily on stable DNS connectivity to access servers on the web. Within the SWG Management console, administrators have the option to configure three DNS servers (Primary, Secondary, Tertiary). For more details see DNS Health Check

PAM RADIUS Solution for Non-Native SWG Users

Existing SWG installations rely on the PAM RADIUS module to authenticate SSH users against the Radius Server.  

It is important to understand, that the sequence of Authentication involves comparison of User information against 2 types of Databases.

  • Local Linux User Accounts
  • Radius Directory Lookup (due to PAM Radius Module) 

For more details, see PAM RADIUS Solution for Non-Native SWG Users

Resolved issues in update 11.2.20 

This release resolves known issues.   

NOTE: Secure Web Gateway 11.2.20  is provided as a main release and archived.

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-4284 SWG is now detecting a close_notify alert while checking for ConnectionStillOk after reading the response header.
WP-5902 Secure NHP to cloud will normalize URIs as per RFC3986 section 3.2.3
WP-5958 Support for non Local Users in SWG PAM Radius is now available. 
WP-5985 The user agent names from McAfee Web Gateway rebranded to Skyhigh Secure Web Gateway for TAU connection
WP-5998 An issue with high memory usage that occurred on a Secure Web Gateway for On-Prem appliance has been resolved.
WP-6023 The list entries restore the backup file where the system list has the same list name and different javaID.
WP-6038 The password protected 7z file is now getting detected without any issues.
WP-6052 New time zone for Kazakhstan can be seen when we upgrade tzdata package version to 2024a-1
WP-6074 HTTP2 Data trickling is working normally during the scan process.

Vulnerabilities Fixed     

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

 Reference CVE  Description

 

WP-6015 

 

CVE-2023-6816 A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.
CVE-2024-0229 An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.
CVE-2024-0408 A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
CVE-2024-0409  A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.
CVE-2024-21885  A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.
 
CVE-2024-21886 A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.

For resolved issues on the previous releases and other information, see Secure Web Gateway 11.2.x Release Notes

  • Was this article helpful?