Resolved issues in the 8.0.0 release

This release resolves known issues.

For a list of current known issues, see McAfee Web Gateway 8.0.x Known Issues (KB90960).

Bugzilla numbers are provided in the reference columns.

Network communication

Reference Issue

When the Konfigurator component was detaching itself after a previous logoff, the user interface responded with a non-availability message to logon requests from cluster nodes using WebStart.

The component did not account for the delay that occurs before the coordinator confirms the detachment after distributing information about this state to every cluster node.

1244440 In a reverse proxy configuration, Web Gateway closed the connection to a web server due to problems with handling HTTP2 traffic.
1245877 An HTTP connection to a web server was kept open, even after this server had sent a message with no connection header and a non-matching protocol version.
1247176 When processing a request for access to a particular website, an error message stating a common name mismatch was incorrectly sent to the user's browser.

When the password for connecting to a domain controller was updated on Web Gateway, SMCv2 errors occurred repeatedly and were logged, but had no further impact.

This happened when the password had been changed on Web Gateway and was not yet accepted by the domain controller. A second attempt made with the old password was successful.

1248650 Routing web traffic under WCCP using several Web Gateway appliances did not work. To restore WCCP routing, the appliances had to be removed from the network and added again one after another.
1249236 When DNS queries were performed under IP4 and IP6, use of the URL.Destination.IP property in a rule resulted in a high level of CPU usage.

When data was forwarded to a third-party application chunk-by-chunk, Web Gateway still sent an extra chunk after sending the last chunk of the data.

This extra chunk was prefixed to the next outgoing POST request by the load balancer that was involved in transferring the data, which caused the application to respond with an error message.

1252362 When Web Gateway was running connected to DXL, the connection status could not be viewed properly for Web Gateway unless looking it up directly under DXL, which was due to the use of an older DXL version.
1252452 When syslog was used to send access log data to a reporting server, error messages were displayed due to a problem with a missing bind address for port forwarding.

Authentication and web filtering

Reference Issue
1239051 An archive could not be scanned for anti-malware filtering because due to an issue with the opener, the Body.FullFilename property was not set to reflect the nesting hierarchy.
1244748 The core process on Web Gateway failed with term signal 6 due to problems with handling empty chunks encountered in image streams.
1245036 When an update of DAT files had been performed, the dashboard incorrectly displayed older file versions.
1247305 When the authentication settings had been modified, a user was successfully authenticated, but this was followed by a failure of the core process.
1247308 Downloading an HTTP2 stream led to a failure of the core process.
1247497 The Stream Detector failed to recognize a particular MPEG4 format, named MPEG DASH, so the video/mp4 media type was mistaken for application/x-empty.
1247886 Inappropriate cache handling when performing Kerberos authentication caused a massive increase in CPU usage.
1248146 The dashboard showed inaccurate information regarding the number of active connections to domain controllers used for NTLM authentication.
1248845 Anti-malware filtering slowed down resulting in severe latency for users due to a high number of GTI lookups.
1249271 A file in LZMA format was wrongly recognized as corrupted and blocked due to a problem that the opener encountered when handling the uncompressed-size information provided under this format.
1249445 Byte count information retrieved for a persistent connection using the Bytes.FromServer and BytesToServer properties was incorrectly logged with values for a previous request being kept also for the current request.

A particular type of mp4 files was not detected by the Stream Detector, but scanned nevertheless by the media scanner after having been detected through processing a customer-defined property that used Content-Header information.

This conflict caused several errors, which were recorded in logs files.

1252264 When configured to run as an FTP proxy, Web Gateway did not provide size information before a file download was started, which prevented use of this parameter in a whitelisting rule.

When several Web Gateway appliances were running as servers and clients in a HSM (Hardware Security Module) configuration, users were not able to access some HTTPS websites anymore.

This was due to HSM keys not being loaded on one server, which was not substituted by a failover. This was caused by segmentation faults that happened in library processing.

1253328 Processing of the Application.IsUnverified property showied inconsistent results in rule tracing and on the relevant block page.
1254106 When large compressed files were uploaded from Web Gateway to an FTP, server, the MD5 checksum was incorrectly calculated and transmitted, which caused problems with decompressing.
1254542 End users received anti-malware error messages caused by problems with performing updates for the Gateway Anti-Malware (GAM) server.


Reference Issue

Web Gateway was affected by the CVE-2018-2952/RHSA-2018 0980 vulnerability, which could be exploited by performing improper write operations when using openSS, allowing for zero-length file creation.

After an appropriate fix has been implemented, Web Gateway is not affected anymore.


Web Gateway was affected by the CVE-2018-0732 vulnerability, which occurred when using OpenSSL, allowing a Denial of Service attack that exploited the time required to generate a key for a very large prime value sent by a malicious server during the SSL handshake.

After an appropriate fix has been implemented, Web Gateway is not affected anymore.


Web Gateway was affected by the CVE-2018-1336 vulnerability, which posed a threat to the use of the Apache Tomcat server.

After an appropriate fix has been implemented, Web Gateway is not affected anymore.

1250269 and 1252235

Web Gateway was affected by the CVE-2018-5390 and CVE-2018-5391 vulnerabilities, which could be exploited by calling functions for every incoming data packet that cause an excessive consumption of resources within the Linux kernel and can lead to a denial of service.

After an appropriate fix has been implemented, Web Gateway is not affected anymore.


Web Gateway was affected by the CVE-2018-2952/RHSA-2018:2242 vulnerability, which created a security risk when importing openjdk.

After an appropriate fix has been implemented, Web Gateway is not affected anymore.


Reference Issue
1219442 When quota management was enabled, the session length that a user entered was not processed correctly, which led to triggering a rule that displayed the page for authorized overriding again instead of allowing the user to continue with the session.
1240337 When processing FTP-over-HTTP traffic, Japanese characters were not displayed correctly.
1245836 Processing a subscribed list with more than 100,000 entries, let CPU load increase to 100 percent, which was mainly related to an internal copying of the list for the purpose of retrieving property parameters and enabling plugin access.
1250564 When trying to log on to a cluster node, a problem with retrieving licensing information occurred, which could not be solved by reimporting the license file, but did not occur on other nodes.
1252626 Invoking an internal cleanup function on Web Gateway caused a conflict that led to a failure of the core process.
1252845 Changing the root password for a Web Gateway appliance on the user interface could not be completed correctly due to a problem with processing arrays of strings.
1254256 The core process on Web Gateway failed with term signal 6 due to a problem with initializing options whenseveral threads for LDAP authentication were configured.