Secure Web Gateway
November 2024
Version 6.0.0
November 29, 2024
-
6.0.0 is a major version and there are functionalities and procedures which are different from version 5.x. We strongly recommend that you visit the Installation Guides first to familiarize yourself with these changes.
-
In Red Hat Enterprise Linux (RHEL) 9, as per Red Hat Documentation, the default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and TLS 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long. This also means that certificates which use the SHA1 as TLS hash, signature, and algorithm are not accepted. Note that this is the "default" policy, and it is possible to change the system to the "legacy" policy.
-
TLS 1.0 and TLS 1.1 encryption protocols are deprecated and disabled by default. These protocols can be enabled by changing the system-wide crypto policy to “legacy” mode. However, this needs to be handled with great caution as it can lower the security level of the product.
Enhancements
-
Product’s platform, Red Hat Enterprise Linux (RHEL), has been updated from version 7.9 to version 9.4.
-
The RHEL 9 administrative interface, Cockpit, has been updated, including improved SELinux support and various user interface fixes.
-
STIG compliance has been enhanced, using the latest RHEL 9 DISA profiles.
-
Enhancements have been made to improve encryption, certificate management and TLS compatibility for secure connections.
-
Support has been added to reduce false positives when detecting Canadian Social Insurance Numbers (SIN), by adopting a validation using the Luhn algorithm.
-
The Internet categorization component has been updated, for improved compatibility and performance.
-
Apache Traffic Server (ATS) has been updated to version 9.2.5, addressing critical vulnerabilities (CVE-2023-38522, CVE-2024-35161, CVE-2024-35296) as well as enhancing system security and stability.
-
Java has been upgraded to version 21, for improved compatibility and performance.
Fixes
-
A critical vulnerability found in the previous release (CVE-2023-26136) has been fixed through the upgrade of Cockpit to a later version, including its dependent libraries.
-
Resolved a long-standing issue, requiring a restart of NetworkManager after configuring an SNMP server in Cockpit.
-
Resolved an issue where updates to FileZilla version 1.8.2 disrupted the FTP backup process for the product.
-
Resolved a license validation issue on the Japanese systems.
-
Resolved a crash in the DCI (Deep Content Inspection) Engine caused by processing PDF files that contain circular references in their outline.
-
Corrected the DCI Engine's handling of Text Views in XML DFC, which caused the failure in detecting the "Social Security number" text entities in XML document search.
-
Resolved an intermittent synchronization issue with LDAPS.
-
Resolved an issue where requests through an upstream proxy were incorrectly routed to the wrong website when navigating from an IP address to a hostname.
-
Corrected a bug that caused the web proxy to crash randomly due to double configuration upon restart.
-
Resolved an issue introduced with the latest web proxy where it may have become unresponsive under high load conditions.
November 2023
Version 5.7.0
November 8, 2023
Enhancements
-
Secure Web Gateway now supports TLS 1.3 for proxy client and server traffic using OpenSSLv3. The upgrade from OpenSSLv1 to OpenSSLv3 provides support for newer, more secure ciphers.
Fixes
-
A fix has been applied to an issue where Secure Web Gateway failed lexical analysis on large file transfers.
-
A fix has been applied to an issue where viruses (CXmail/Redir-A) were false-positively detected on some web pages.
-
A fix has been applied to an issue where shortened X (formerly Twitter) URLs could not be accessed when an upstream proxy was in use.
May 2023
Version 5.6.0
May 26, 2023
New Features
-
The OCR feature has an extended functionality, QR code and barcode scanning. You can adjust your preferences under System > Gateway Settings > Policy Engine Settings.
Enhancements
-
In accordance with the recent rebranding from HelpSystems to Fortra, changes have been applied to the user interface, including new product and company logos.
-
The User Interface Service Access Log has been enhanced to include additional audit events, such as system reboots, configuration changes and admin user modifications.
-
Properties of IRM protected documents can now be detected using the Analyze Properties content rule.
-
Security improvements have been made in handling login attempts by users. The login screen now displays the same message whether the user is valid or not.
-
Customizations to the Gateway Infrastructure service Memory allocation can now be maintained on upgrade.
Fixes
-
Improvements in the OCR functionality allow images with a color depth of 64 bits to be analyzed with better accuracy.
-
The SELinux policy has been updated to allow the deletion of temporary Samba cache files prior to joining an NTLM domain.
-
Analysis of PNG files has been improved to reduce instances of false-positive identification of malformed data.
-
The Purge the diagnostic data functionality on the Proxy Monitoring page has been modified to purge the data as intended.
-
Log4j v1.2.17 has been removed from, and is not used by the product.
-
Text and word rapping in the Gateway Branding page now works as intended on the login page.
-
Amendments have been made to an issue where the Avira anti-virus scanner was left enabled on the peers, despite disabling it and applying that configuration to the peers.
-
PostgreSQL logging now uses the system time zone for new installations, instead of GMT.
-
Amendments have been made to an issue where Secure Web Gateway logged false errors when the upstream connection for browsing was enabled on the Upstream Proxy Settings page, and URLs were added under the URL Bypass tab.
-
German and Japanese installations of Secure Web Gateway can now successfully import the keytab file when setting up Kerberos authentication.
-
Amendments have been made to an issue where the Installation Wizard was not correctly displayed when hosted on a NIC Team or Bond.
-
Secure Web Gateway can now resolve shortnames within a domain.
-
Amendments have been made to an issue where message processing failed with an error; Sophos AV Error 0xc21d0307, 127.0.0.1:4010, 30.
-
The Ignore duplicate occurrences option in lexical expressions now works as intended, and counts a specific lexical expression only once when detected multiple times.
-
Amendments have been made to an issue where message processing failed indicating that the Avira anti-virus scanner was unable to scan file contents due to error code; 0xc21d0507.
December 2022
Version 5.5.0
December 5, 2022
Enhancements
-
MS Office formats have been split into CDA /XML format types so that you can specifically select one or the other in rules which have media type selection.
Fixes
-
Python3 code has been updated to run with version 3.8. This resolves CVE-2021-3177. Note that the "python3" package may still be installed after upgrade and require manual removal.
-
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults. Apache Commons Text has been upgraded to 1.10.0 where applicable to null this threat.
-
A fix has been applied so that PDF files no longer cause memory exhaustion.
-
A fix has been applied so that a Redact Text rule correctly redacts the selected text from a PDF.
-
The possibility of creating a cross-site scripting (XSS) attack in the admin user interface using a malicious crafted message tracking URL has been removed.
-
Fixed an Export Reports issue where "Send to Me" would send the report to the administrator rather than the logged in user.
-
Clearswift is committed to providing software that can perform in a secured Red Hat environment with a high overall STIG security score against the DISA STIG profile. Red Hat has released a new version of the scap-security-guide package v0.1.63 (https://access.redhat.com/errata/RHBA-2022:6576 ) on RHEL7, which contains an update to the DISA STIG profile to version V3R8. This new profile version introduces several additional requirements but was released too late for these to be factored into the Gateway v5.5 release. As a result, these will be observed as additional findings in any STIG evaluation report using this new profile. These extra findings do not represent a reduction in the security of the Gateway software but are additional configurations that could be implemented to improve the overall system security. However, remediating these rules without proper evaluation carries the risk that the enhanced protection they introduce may conflict with correct system operation. Clearswift will be working to evaluate these new rules to determine their impact on the system and will make modifications to the product to allow for automatic remediation in a future release.
July 2022
Version 5.4.3
July 15, 2022
New Features
-
A support extract with system status information is now automatically generated by the watchdog whenever a Proxy service failure is detected, and more importantly before the Proxy service is restarted.
Enhancements
-
In the Detectable Types selection list within the Detect Lexical Expression, Detect Media Types and Redact Text content rules, support has been added for iCalendar. This means the Gateway can provide better deep content inspection of some types of meeting requests and calendars.
-
The update URLs for Sophos Anti-Virus are now "https" rather than "http". For example, https://sav-update-1.clearswift.net/SOP64/sopupdates.txt
-
Proactive Alerts have been modified to restrict any potentially sensitive information being sent to Clearswift via unsecured email. An ability to modify the message body of the Proactive Alerts emails has been introduced, so when working with customer support, and with communication over TLS, more diagnostic information can be sent. Please note that using the Proactive Alerts feature requires a license.
-
The product icon has been updated
-
For increased security, the PostgreSQL database has been upgraded from V9.6 to V13.3.
-
Extra two rows added to the Product Information table on Cockpit Clearswift page to show whether Red Hat or Clearswift online updates are enabled.
Fixes
-
A fix has been applied to an issue where informs were not sent correctly if the Analyze Properties content rule was configured to detect multiple document properties, and to generate an inform.
-
A fix has been applied to an issue with Cockpit where Software Updates > Check for Updates could contain out-of-date information. Now, the caches are correctly cleared by clicking the Check for Updates button.
-
There were occasional SSL errors while updating Netstar. Netstar has fixed this issue in their latest SDK, which is a part of the Secure WEB Gateway version 5.4.3 release. It is recommended that the customers upgrade to this version and monitor their Gateway’s behavior.
-
The Netstar watchdog now checks if online URL categorisation can be performed. If not, the Netstar and Proxy services are restarted. To disable this online check, for example, when the Gateway is in a closed environment, then create the following file: sudo touch /var/cs-gateway/websettings/netstar/netstar_no_online_check
-
A fix has been applied to an issue where Netstar downloads prevented new downloads from taking place. Now, selecting the reset option on the UI deletes the lock file and allows a new download to commence.
-
A fix has been applied to an issue where SCOM server configuration in Cockpit could be lost after a product upgrade.
-
In response to the recent global security alerts on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Web Gateway product.
-
Some macro-enabled Visual Basic .xlsm files were failing to process and causing the message to be held as Malformed Data. This has now been resolved.
-
It was previously not possible to sanitize active content for xlsm created in the recent version of M365. This has now been fixed.
-
A fix has been applied to an issue where the Redact Text content rule only redacted the first portion of the UK postcodes (which consist of multiple parts, e.g. AB1 0CD).
-
A fix has been applied to an issue with the Connectivity Test for Avira. The test no longer fails erroneously and servers will not be displayed as 'unavailable'.
-
A fix has been applied to an issue where the UI rejected some valid characters in a URL, such as #, |, @, [, and ] when creating a new Custom URL List.
-
Netstar SSL experienced some errors when updating. This had been resolved by Netstar in a later SDK version than the one being used at the time.
-
If an FTP backup configuration is enabled, the password was previously held in plain text in the file /var/cs-gateway/diag/diag-config.xml. This is now encrypted.
-
The Secure Web Gateway UI has been updated to display the 3 secure headers (X-XSS-Protection, X-Content-Type-Options and X-Frame-Options) on the block and error pages.
-
All Netstar categories now map to a Clearswift category.
-
The Netstar "search & portal" category now maps to both Clearswift Search and Portal categories instead of just the Portal.
-
Download CRL entries without the "issuerName" and "serialNumber" now result in a logged warning rather than causing the download to fail.
-
A fix has been applied to an issue where Microsoft Project (.mpp) files were failing to process with errors.
-
A fix has been applied to the Sanitize Active Content rule, whereby active content was being incorrectly detected.
-
HTTPS content in tokens, headers and data will be displayed in Informs only when both of the following is true. The functionality to include HTTPS headers, data and diagnostic information is configured in the UI and a support script has been run as documented in the online help.
-
The description for the Drugs URL category previously grouped all "drug" websites into one category. We have created a new Illegal Drugs category which is separate from the medical/pharmaceutical products. This default policy now blocks illegal drugs.
-
The options in the UI to view engine and proxy diagnostics, also to download and purge diagnostics were missing. These have now been restored.
-
When querying the user activity for a particular user, there was too much data per day. This has been fixed and a time range can now be configured for the user activity report. This facilitates for the amount of data to be reduced and prevents the size limit being reached.
-
Computer Graphics Metafile (CGM) files were not available in the Detectable Types selection list within the Detect media types content rule. This has now been resolved.
-
URL validation has improved as we were encountering URLs that did not conform to the RFC. Websites with a hyphen dot in the URL can now be accessed.
-
The ability to use the token %PROXY% in a block page has been restored.
-
The install process on systems with large RAM and hard disk capacities has been streamlined.
-
A fix has been applied to an issue where the Clearswift product name was not clearly identified within Cockpit.
-
PDF files are now created correctly following steganography or text redaction changes.
-
Listening on port 81 has been turned off and the port disabled.
-
A fix has been applied to an issue where the "Upgrade is available" alarm would never be raised if using a non-English system locale.
-
A fix has been applied to an issue where new SCOM servers could not always be added in the Monitoring Services page in Cockpit.
-
A fix has been applied to the issue where the 5.2 upgrade overwrites the keystore, reverting the custom UI certificate back to the Clearswift self-signed cert.
-
A fix has been applied to a display error where URL links to the anti-virus update servers, such as sav-update, sometimes displayed old version numbers under System > Connectivity Test.
-
A fix has been applied to an issue where multiple lines defined in the System > Gateway Branding > Front Page Text are displayed in a single line.
June 2021
Version 5.2.0
June 3, 2021
Enhancements
-
The Lifestyle category has been removed from the default 'Sexually Explicit' web policy route. This improves matching for these categories.
Fixes
-
PDF rendering has been improved, following steganography or redaction changes applied by the Gateway.
-
XLSX files were being detected as active content when no active content was present. This has now been fixed.
-
Processing documents such as PDFs and RTFs has been improved, resulting in more efficient detection of active content.
-
PDF detection and processing has been enhanced in this release to correct a number of issues, including the Gateway becoming unresponsive.
-
You can now disable XLM macros from being detected by adding a configuration to the CDA and ZIP format managers. For more information, refer to the online help topic on Sanitization.
-
The gdb and valgrind RPMs can now be removed after product installation. This should be performed using the yum utility in Cockpit Terminal. Please note that these will be automatically reinstalled upon every product upgrade, so the removal process will need to be repeated each time.
-
URL categorization speed has been increased, resulting in more efficient performance.
March 2021
Version 5.1.0
March 1, 2021
New Features
-
URL Database replacement.
Enhancements
-
Kaspersky anti-virus has been upgraded to version 8.9.
-
The URL Database component has been improved, enabling more efficient categorization of URLs. Consequently, the real-time categorization content rule is no longer required. The database is a dynamic list of URL categories that can be updated or, if necessary, reset at any time.
-
Branding changes have been applied to the user interface including new product logos. SECURE Web Gateway is now Secure Web Gateway.
-
Secure Web Gateway now has its own unique installation ISO and download location.
Fixes
-
An update to the Avira anti-virus engine has resolved a number of issues, including the detection of Eicar, and consistent use of downloaded definitions.
-
Static Hostnames can contain alias names of over 40 characters.
-
The update to the URL Database component has resolved a number of issues including synchronization of URL categories.
-
The proxy was failing to communicate with HTTPS sites using NTLM due to a traffic service configuration. This has been fixed in this release.
-
ATS (Apache Traffic Server) was crashing regularly, causing multiple core dumps. Core dumps have now been disabled.
-
A custom setting has been added to help FTP backups work more effectively.
September 2020
Version 5.0.0
September 08, 2020
New Features
- Red Hat Cockpit replaces server console for administrators. Cockpit is an integrated web interface used for managing your network configuration, software updates, and system management.
Enhancements
- This version of the Gateway runs on RHEL 7.8, enabling more accessible software updates, a number of technical improvements from RHEL 6, timely security fixes, and a more robust operating system.
- Support for the SMBv1 protocol is no longer mandatory, due to security vulnerabilities. This version of the Clearswift SECURE Web Gateway still supports SMBv1, but SMBv2 will take precedence if available. The Gateway no longer requires a server to support SMBv1 in order to establish a connection.
- You can now configure a lexical expression to ignore any duplicates of a unique string that matches that expression. This reduces false positives, where a string might be repeated in a file or attachment.
- Detection of lexical expressions has been enhanced, so that the count of multiple matches is recorded per attachment or document.
- The user interface has been resized to be more responsive to screen-size. Additionally, sensitive terminology has been updated where possible, replacing slave/master with worker/controller in log files. Blacklists and whitelists are now referred to as block lists and allow lists respectively.
Fixes
- A weighted term now only counts once if it is repeated across multiple worksheets, if ‘Each expression may trigger only once for each part of the message’ is selected.
- UI access controls have been significantly updated and tightened, restricting permissions to the correctly privileged users.
- An admin account opening multiple tabs while logged in to the Gateway, presented the risk of cross-site-request forgery (CSRF) if a malicious page was open in a browser. This vulnerability has been resolved in this release.
- Only the Installation Wizard page is accessible if the Gateway has not been fully configured.
- The branding text appears on the login page, and was editable without authentication. This has been resolved in this release.
- The Kaspersky anti-virus engine now installs correctly.
September 2020
Version 4.11.2
-
The proxy transaction log could incorrectly record the same hostname against multiple IP addresses.
October 2019
Version 4.11.1
Enhancements
-
Sanitization of URLs in documents.
-
Text extraction from embedded images in PDFs.
Fixes
-
When configuring the Gateway using the installation wizard, licenses were marked as invalid if you selected the Turkish locale (tr_TR.UTF-8) with US keyboard settings and the time zone GMT+2, using the Server Console.
-
OCR extraction did not work on all images due to a problem with processing.
-
The searchability of reference lists was not working when using Internet Explorer 11.
August 2019
Version 4.11.0
New Features
-
OCR (Optical Character Recognition) allows the Web Gateway to block or redact any suspicious or confidential text it discovers in images.
Enhancements
-
Improved searchability of Machine Lists, User Names, Internet Zones, and Intranet Sites.
-
Configurable transaction logs.
-
Test authentication on multiple Kerberos Key Distribution Centers (KDCs).
-
The error page generated by the Web Gateway now displays the relevant error text in the browser title bar.
-
Sanitization and redaction of metadata in GIFs and PNGs.
-
Detect and inspect content in RAR5 archive files.
-
Content sanitization occurs regardless of the read-only flag in XMP data.
Fixes
-
The Gateway offered a limited set of ciphers and there was no customer-override available. If none of the Email Gateway ciphers were supported by the SFTP server, the SFTP option could not be used. This has been resolved in this release by replacing the low-security cipher.
April 2019
Version 4.10.0
Enhancements
-
TLS version selection for HTTPS Encryption settings now sets a minimum version, with the default version as TLS 1.0.
-
You can now detect and process High Efficiency Image File formats (HEIF and HEIC).
-
Sophos anti-virus has been upgraded to version 2.6
-
Kaspersky anti-virus has been upgraded to version 8.8.
Fixes
-
A problem has been fixed where the Memory Low and Memory Critical alarms failed to trigger correctly when configured in specific instances.