Secure ICAP Gateway
November 2024
Version 6.0.0
November 29, 2024
-
6.0.0 is a major version and there are functionalities and procedures which are different from version 5.x. We strongly recommend that you visit the Installation Guides first to familiarize yourself with these changes.
-
In Red Hat Enterprise Linux (RHEL) 9, as per Red Hat Documentation, the default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and TLS 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long. This also means that certificates which use the SHA1 as TLS hash, signature, and algorithm are not accepted.
-
TLS 1.0 and TLS 1.1 encryption protocols are deprecated and disabled by default.
Enhancements
-
Product’s platform, Red Hat Enterprise Linux (RHEL), has been updated from version 7.9 to version 9.4.
-
The RHEL 9 administrative interface, Cockpit, has been updated, including improved SELinux support and various user interface fixes.
-
STIG compliance has been enhanced, using the latest RHEL 9 DISA profiles.
-
Enhancements have been made to improve encryption, certificate management and TLS compatibility for secure connections.
-
Support has been added to reduce false positives when detecting Canadian Social Insurance Numbers (SIN), by adopting a validation using the Luhn algorithm.
-
Java has been upgraded to version 21, for improved compatibility and performance.
Fixes
-
A critical vulnerability found in the previous release (CVE-2023-26136) has been fixed through the upgrade of Cockpit to a later version, including its dependent libraries.
-
Resolved a long-standing issue, requiring a restart of NetworkManager after configuring an SNMP server in Cockpit.
-
Resolved an issue where updates to FileZilla version 1.8.2 disrupted the FTP backup process for the product.
-
Resolved a license validation issue on the Japanese systems.
-
Resolved a crash in the DCI (Deep Content Inspection) Engine caused by processing PDF files that contain circular references in their outline.
-
Corrected the DCI Engine's handling of Text Views in XML DFC, which caused the failure in detecting the "Social Security number" text entities in XML document search.
November 2023
Version 5.7.0
November 8, 2023
Fixes
-
A fix has been applied to an issue where Secure ICAP Gateway failed lexical analysis on large file transfers.
-
A fix has been applied to an issue where viruses (CXmail/Redir-A) were false-positively detected on some web pages.
May 2023
Version 5.6.0
May 26, 2023
New Features
-
The OCR feature has an extended functionality, QR code and barcode scanning. You can adjust your preferences under System > Gateway Settings > Policy Engine Settings.
Enhancements
-
In accordance with the recent rebranding from HelpSystems to Fortra, changes have been applied to the user interface, including new product and company logos.
-
The User Interface Service Access Log has been enhanced to include additional audit events, such as system reboots, configuration changes and admin user modifications.
-
Properties of IRM protected documents can now be detected using the Analyze Properties content rule.
-
Security improvements have been made in handling login attempts by users. The login screen now displays the same message whether the user is valid or not.
-
Customizations to the Gateway Infrastructure service Memory allocation can now be maintained on upgrade.
Fixes
-
Improvements in the OCR functionality allow images with a color depth of 64 bits to be analyzed with better accuracy.
-
Amendments have been made to an issue where text reduction failed on proxy, such as Bluecoat and Squid.
-
Analysis of PNG files has been improved to reduce instances of false-positive identification of malformed data.
-
Modifications have been made in calculating the size of ICAP as well as Netstar log files. The alarm for a large log is now raised appropriately.
-
Log4j v1.2.17 has been removed from, and is not used by the product.
-
Text and word rapping in the Gateway Branding page now works as intended on the login page.
-
Amendments have been made to an issue where the Avira anti-virus scanner was left enabled on the peers, despite disabling it and applying that configuration to the peers.
-
PostgreSQL logging now uses the system time zone for new installations, instead of GMT.
-
Amendments have been made to an issue where the Installation Wizard was not correctly displayed when hosted on a NIC Team or Bond.
-
Secure ICAP Gateway now logs connection drop-outs less frequently to prevent the logs from being flooded.
-
Amendments have been made to an issue where message processing failed with an error; Sophos AV Error 0xc21d0307, 127.0.0.1:4010, 30.
-
The Ignore duplicate occurrences option in lexical expressions now works as intended, and counts a specific lexical expression only once when detected multiple times.
-
Amendments have been made to an issue where message processing failed indicating that the Avira anti-virus scanner was unable to scan file contents due to error code; 0xc21d0507.
December 2022
Version 5.5.0
December 5, 2022
New Features
-
The ICAP connection between client and server has now been enhanced so that its now a secure, encrypted channel.
Enhancements
-
MS Office formats have been split into CDA /XML format types so that you can specifically select one or the other in rules which have media type selection.
Fixes
-
Python3 code has been updated to run with version 3.8. This resolves CVE-2021-3177. Note that the "python3" package may still be installed after upgrade and require manual removal.
-
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults. Apache Commons Text has been upgraded to 1.10.0 where applicable to null this threat.
-
A fix has been applied so that PDF files no longer cause memory exhaustion.
-
A fix has been applied so that a Redact Text rule correctly redacts the selected text from a PDF.
-
The possibility of creating a cross-site scripting (XSS) attack in the admin user interface using a malicious crafted message tracking URL has been removed.
-
Fixed an Export Reports issue where "Send to Me" would send the report to the administrator rather than the logged in user.
-
Clearswift is committed to providing software that can perform in a secured Red Hat environment with a high overall STIG security score against the DISA STIG profile. Red Hat has released a new version of the scap-security-guide package v0.1.63 (https://access.redhat.com/errata/RHBA-2022:6576 ) on RHEL7, which contains an update to the DISA STIG profile to version V3R8. This new profile version introduces several additional requirements but was released too late for these to be factored into the Gateway v5.5 release. As a result, these will be observed as additional findings in any STIG evaluation report using this new profile. These extra findings do not represent a reduction in the security of the Gateway software but are additional configurations that could be implemented to improve the overall system security. However, remediating these rules without proper evaluation carries the risk that the enhanced protection they introduce may conflict with correct system operation. Clearswift will be working to evaluate these new rules to determine their impact on the system and will make modifications to the product to allow for automatic remediation in a future release.
July 2022
Version 5.4.3
July 15, 2022
Enhancements
-
In the Detectable Types selection list within the Detect Lexical Expression, Detect Media Types and Redact Text content rules, support has been added for iCalendar. This means the Gateway can provide better deep content inspection of some types of meeting requests and calendars.
-
The update URLs for Sophos Anti-Virus are now "https" rather than "http". For example, https://sav-update-1.clearswift.net/SOP64/sopupdates.txt
-
Proactive Alerts have been modified to restrict any potentially sensitive information being sent to Clearswift via unsecured email. An ability to modify the message body of the Proactive Alerts emails has been introduced, so when working with customer support, and with communication over TLS, more diagnostic information can be sent. Please note that using the Proactive Alerts feature requires a license.
Fixes
-
A fix has been applied to an issue where informs were not sent correctly if the Analyze Properties content rule was configured to detect multiple document properties, and to generate an inform.
-
A fix has been applied to an issue with Cockpit where Software Updates > Check for Updates could contain out-of-date information. Now, the caches are correctly cleared by clicking the Check for Updates button.
-
There were occasional SSL errors while updating Netstar. Netstar has fixed this issue in their latest SDK, which is a part of the Secure ICAP Gateway version 5.4.3 release. It is recommended that the customers upgrade to this version and monitor their Gateway’s behavior.
-
The Netstar watchdog now checks if online URL categorisation can be performed. If not, the Netstar and ICAP services are restarted. To disable this online check, for example, when the Gateway is in a closed environment, then create the following file: sudo touch /var/cs-gateway/websettings/netstar/netstar_no_online_check
-
A fix has been applied to an issue where Netstar downloads prevented new downloads from taking place. Now, selecting the reset option on the UI deletes the lock file and allows a new download to commence.
-
A fix has been applied to an issue where SCOM server configuration in Cockpit could be lost after a product upgrade.
December 2021
Version 5.4.2
December 21, 2021
-
In response to the recent global security alert (CVE-2021-45105) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.
Version 5.4.1
December 17, 2021
New Features
-
A support extract with system status information is now automatically generated by the watchdog whenever a service failure is detected, and more importantly before the ICAP service is restarted.
Enhancements
-
The product icon for Secure ICAP Gateway has been updated.
Fixes
-
Some macro-enabled Visual Basic .xlsm files were failing to process and causing the message to be held as Malformed Data. This has now been resolved.
-
If an FTP backup configuration is enabled, the password was previously held in plain text in the file /var/cs-gateway/diag/diag-config.xml. This is now encrypted.
-
The description for the Drugs URL category previously grouped all "drug" websites into one category. We have created a new Illegal Drugs category which is separate from the medical/pharmaceutical products. This default policy now blocks illegal drugs.
-
The Netstar "search & portal" category now maps to both Clearswift Search and Portal categories instead of just the Portal.
-
HTTPS content in tokens, headers and data will be displayed in Informs only when both of the following is true. The functionality to include HTTPS headers, data and diagnostic information is configured in the UI and a support script has been run as documented in the online help.
-
Netstar SSL experienced some errors when updating. This had been resolved by Netstar in a later SDK version than the one being used at the time.
-
Computer Graphics Metafile (CGM) files were not available in the Detectable Types selection list within the Detect media types content rule. This has now been resolved.
-
When configuring a Redact Text rule, for UK postcodes (which consist of multiple parts, e.g. AB1 0CD), only the first portion of the UK postcode was being redacted. This has now been fixed.
-
A fix has been applied so that when running a Connectivity Test for Avira, it no longer erroneously fails and shows servers as unavailable.
-
It was previously not possible to sanitize active content for xlsm created in the recent version of M365. This has now been fixed.
-
When querying the user activity for a particular user, there was too much data per day. This has been fixed and a time range can now be configured for the user activity report. This facilitates for the amount of data to be reduced and prevents the size limit being reached.
-
Microsoft Project (.mpp) files were failing to process with errors. This has now been resolved.
-
A fix has been applied to the Sanitize Active Content rule, whereby active content was being incorrectly detected.
-
In response to the recent global security alerts (CVE-2021-44228 and CVE-2021-45046) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.
September 2021
Version 5.4.0
September 27, 2021
Enhancements
-
For increased security, the Postgresql database has been upgraded from V9.6 to V13.3.
Fixes
-
Listening on port 81 has been turned off and the port disabled
-
Unlicensed rules can now be deleted from a policy route
-
PDF files are now created correctly following steganography or text redaction changes.
-
The install process on systems with large RAM and hard disk capacities has been streamlined.
-
The Clearswift product name is now clearly identified within Cockpit.
June 2021
Version 5.2.0
June 3, 2021
Enhancements
-
The Lifestyle category has been removed from the default 'Sexually Explicit' web policy route. This improves matching for these categories.
Fixes
-
PDF rendering has been improved, following steganography or redaction changes applied by the Gateway.
-
XLSX files were being detected as active content when no active content was present. This has now been fixed.
-
You can now disable XLM macros from being detected by adding a configuration to the CDA and ZIP format managers. For more information, refer to the online help topic on Sanitization.
-
Processing documents such as PDFs and RTFs has been improved, resulting in more efficient detection of active content.
-
PDF detection and processing has been enhanced in this release to correct a number of issues, including the Gateway becoming unresponsive.
-
The gdb and valgrind RPMs can now be removed after product installation. This should be performed using the yum utility in Cockpit Terminal. Please note that these will be automatically reinstalled upon every product upgrade, so the removal process will need to be repeated each time.
-
URL categorization speed has been increased resulting in more efficient performance.
March 2021
Version 5.1.0
March 1, 2021
New Features
-
URL Database replacement.
Enhancements
-
The Kaspersky anti-virus engine has been upgraded to version 8.9.
-
The URL Database component has been improved, enabling more efficient categorization of URLs. Consequently, the real-time categorization content rule is no longer required. The database is a dynamic list of URL categories that can be updated or, if necessary, reset at any time. Note that personally identifiable information such as IP address, hosts, paths or telemetry is not collected by the URL database, in accordance with privacy considerations.
-
Branding changes have been applied to the user interface including new product logos. SECURE ICAP Gateway is now Secure ICAP Gateway.
-
Secure ICAP Gateway now has its own unique installation ISO and download location.
Fixes
-
An update to the Avira anti-virus engine has resolved a number of issues, including the detection of Eicar, and consistent use of downloaded definitions.
-
Static Hostnames can contain alias names of over 40 characters.
-
The update to the URL Database component has resolved a number of issues including synchronization of URL categories.
-
A custom setting has been added to help FTP backups work more effectively.
September 2020
Version 5.0.0
September 08, 2020
New Features
- Red Hat Cockpit replaces server console for administrators. Cockpit is an integrated web interface used for managing your network configuration, software updates, and system management.
Enhancements
- This version of the Gateway runs on RHEL 7.8, enabling more accessible software updates, a number of technical improvements from RHEL 6, timely security fixes, and a more robust operating system.
- You can now configure a lexical expression to ignore any duplicates of a unique string that matches that expression. This reduces false positives, where a string might be repeated in a file or attachment.
- Detection of lexical expressions has been enhanced, so that the count of multiple matches is recorded per attachment or document.
- The user interface has been resized to be more responsive to screen-size. Additionally, sensitive terminology has been updated where possible, replacing slave/master with worker/controller in log files. Blacklists and whitelists are now referred to as block lists and allow lists respectively.
- You can now configure the Gateway to scan files up to 16 GB.
Fixes
- A weighted term now only counts once if it is repeated across multiple worksheets, if ‘Each expression may trigger only once for each part of the message’ is selected.
- UI access controls have been significantly updated and tightened, restricting permissions to the correctly privileged users.
- An admin account opening multiple tabs while logged in to the Gateway, presented the risk of cross-site-request forgery (CSRF) if a malicious page was open in a browser. This vulnerability has been resolved in this release.
- Only the Installation Wizard page is accessible if the Gateway has not been fully configured.
- The branding text appears on the login page, and was editable without authentication. This has been resolved in this release.
- The Kaspersky anti-virus engine now installs correctly.
September 2020
Version 4.11.2
-
No updates for this release.
October 2019
Version 4.11.1
Enhancements
-
Sanitization of URLs in documents.
-
Text extraction from embedded images in PDFs.
Fixes
-
When configuring the Gateway using the installation wizard, licenses were marked as invalid if you selected the Turkish locale (tr_TR.UTF-8) with US keyboard settings and the time zone GMT+2, using the Server Console.
-
OCR extraction did not work on all images due to a problem with processing.
-
The searchability of reference lists was not working when using Internet Explorer 11.
-
The ISTag response header size exceeded the 32-byte limit.
-
According to RFC3507, the response to an OPTIONS request must include headers for Methods and Encapsulated, however, the ICAP Gateway did not provide the response headers for Encapsulated.
August 2019
Version 4.11.0
New Features
-
OCR (Optical Character Recognition) allows the Web Gateway to block or redact any suspicious or confidential text it discovers in images.
Enhancements
-
Improved searchability of Machine Lists, User Names, Internet Zones, and Intranet Sites.
-
Configurable transaction logs.
-
Sanitization and redaction of metadata in GIFs and PNGs.
-
Detect and inspect content in RAR5 archive files.
-
Content sanitization occurs regardless of the read-only flag in XMP data.
Fixes
-
The Gateway offered a limited set of ciphers and there was no customer-override available. If none of the Email Gateway ciphers were supported by the SFTP server, the SFTP option could not be used. This has been resolved in this release by replacing the low-security cipher.
April 2019
Version 4.10.0
Enhancements
-
You can now detect and process High Efficiency Image File formats (HEIF and HEIC).
-
Sophos anti-virus has been upgraded to version 2.6.
-
Kaspersky anti-virus has been upgraded to version 8.8.
Fixes
-
A problem has been fixed where the Memory Low and Memory Critical alarms failed to trigger correctly when configured in specific instances.
-
A problem has been fixed where some pages were displayed and allowed files to be downloaded, even when the All Traffic content rule was set to block.