Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure Web Gateway 12.2.3 Release Notes

New Features in the 12.2.x Release   Edit section

This release provides the following new features. For resolved issues in this release and the update releases, see further below.

For information about how to upgrade to this release, see Upgrading to a New Version - Controlled Release.

Rebranding to Account for Transition   

Names of products, components, and other items have been rebranded to account for the transition from McAfee to Secure Web Gateway.

Rebranded SNMP SMI and MIB file with updated Org OID for Skyhigh Security   

As part of the rebranding, a new Object Identifier (OID) has been introduced for Org Skyhigh Security. We are updating the SNMP OID from .1.3.6.1.4.1.1230* to .1.3.6.1.4.1.59732*. You'll need to update your management software accordingly if they are referring to these OID. For more details, see Configure event monitoring with SNMP.

Trellix VX Integration to SWG  

The SWG 12.2.0 supports integration with Trellix Virtual Execution (VX). For more details, see Trellix Virtual Execution Integration to SWG.

Detection of OneNote files 

New Mediatype detection has been added for OneNote files to detect .one and .onepkg files. 

InsecureNetlogon  

Insecure NETLOGON channel is blocked by default. To explicitly allow Insecure NETLOGON, a new checkbox is provided in Windows Join Domain Dialogue. For more details, see InsecureNetlogon 

TCP Health Check  

Prior to this features, SWG would send live traffic to Next Hop Proxies to determine its health which resulted in delayed response in case Next Hop Proxy is not healthy. With this feature, SWG will have knowledge of the health of the Next Hop Proxies beforehand. For more details, see TCP Health Check for Next Hop Proxy.

Server Chunk Encoding  

A new check box option is provided in proxy control event settings, which allows to enforce chunk encoding transfer on server requests from SWG. For more details, see Server Side Chunk Encoding

Connect Response Based on HTTP-Protocol 

Connection Established response message always shows HTTP1.0 even if the HTTP Protocol header of the request was HTTP1.1. Now you can configure this under Proxy Control Event, where we can select to send back the Connection Established Response text based on the HTTP Protocol version received.   For more details, see Configure Connection Established Response based on HTTP Protocol Version.

Support to pipelined application/HTTP 

A new media type has been added to media type filtering for detection and Openers for pipelined Application/HTTP. 

New Properties for Multiline Base64 

To support the multiline Base-64, new properties are added in SWG

Support for kdbx-kdb-Filetype 

A new media type has been added to media type filtering to detect files of the kdbx and kdb types.

Client certificate authentication for HTML UI 

Client certificate authentication is now added for the HTML UI, For more details, see Client Certificate Authentication for HTML UI.

Configurable size limit of single XML attributes 

The configurable size limit of single XML attributes has been increased to reduce errors on startup when having large inline lists.

What's new in update 12.2.3   

Enhancements have been introduced as follows in this release.

  • Integration of Fortanix DSM
    • Fortanix DSM integration to SWG is to provide the Hardware Security Module functionality (HSM). For more details, see Integration of Fortanix DSM

Resolved Issues in the 12.2.3 Release    

This release resolves known issues.

NOTE: Secure Web Gateway 12.2.3 is provided as a main release.    

For information about how to upgrade to this release, see Upgrading to a new version – Main Release.   

JIRA issue numbers are provided in the reference columns.

Reference Description
WP-3339 Enable in Cloud information is now showed in the audit.log. 
WP-4265 Using the REST API to push a configuration.xml file from another location to Secure Web Gateway after modifying the configuration on the user interface now works as expected.
WP-4869 Webswing login is working as normal for cloud images.
WP-5199 Webswing has been Upgraded from 20.1.16 to 22.1.18 LTS. 
WP-5476 A McAfee copyright notice that was still shown when information about an ePO extension package was provided on the user interface for Secure Web Gateway has been removed.
WP-5572 Validation issues for 'Server Address' in health check configuration has been resolved. 
WP-5574 Preview in the template editor displays the updated image on the block page.
WP-5735 The DLP library has been updated to version 2.6.6. 
WP-5740 Update SWG with new Icons for consistent branding.
WP-5767 Pdf opener does not crash anymore.
WP-5778 The next-hop proxy process no longer dereferences fServerSocket = 0x0 when multiple requests are received over the same connection. 
WP-5810 The robustness of an AV filter has been improved. 
WP-5818 When LDAP authentication is performed for a user with a mail filter enabled, the authentication process does not fail anymore if the user name contains the @ special character.
WP-5844 Cab files are no longer detected as corrupted and it is downloaded properly without any issues.
WP-5858 Selected templates are now exported from a user created schema. 

 

Vulnerabilities Fixed    

Reference Description

WP-5815, WP-5834,WP-5872

This Secure Web Gateway release includes updates addressing publicly disclosed CVEs, regardless of whether a CVE has been shown to impact customers.
The following medium and higher-level CVEs (CVSS 3.0 >= 4) were involved:

  • CVE-2023-38545: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

    CVE-2023-38546: This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
  • CVE-2023-42795: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
  • CVE-2019-15165: sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.

Known Issues in the 12.2.3 Release    

This release includes known issues.

JIRA issue numbers are provided in the reference columns.

Reference Description

WP-5922

Issue: The Internal Administrator Account tab may remain hidden due to being overlapped by the Roles tab.
 
Work Around: Drag the left edge of the Roles tab slightly towards the center area to access the Internal Administrator Account tab.

  • Was this article helpful?