Security Information

There will be security information that needs to be shared about FileWave or components that we use. We may also link to critical notices about macOS, Windows, iOS, and other OSs if they appear to be severe, and would impact you as an IT manager.

FileWave Security

FileWave SSL Certificates

Using self-signed certificates should be avoided as much as possible in production environments; while it may make sense in some closed environments, using Globally trusted CAs is our recommended approach.

The FileWave Server and other FileWave Components (e.g. Clients, Web Console, IVS, etc.) use the MDM server SSL certificate to validate communication. This certificate needs to be uploaded into the SSL Certificate Management pane, in the General tab inside FileWave Admin Preferences. This validation check will ensure secure and trusted communication between your FileWave server and the various FileWave components in your environment. Even though a self-signed certificate is supported, having a root trusted certificate from a CA is the best and most recommend option.

Security and FileWave

FileWave uses SSL, certificates, and secure tokens for much of its primary device and content management. Fileset technology is a patented, proprietary wrapper for content. Instead of sending a standard .pkg or .msi installer packages to the client, we wrap the content inside a Fileset. Because this is a proprietary container, the integrity of the delivered content is assured.

FileWave client security

Communications between the FileWave Client and either the Server or any Boosters is done through SSL.

The FileWave Client is tracked by device name in Inventory. Admin changes to Client configurations are either done through a specific Fileset, called a Superprefs Fileset, or through the Client Monitor. The contents of a Superprefs Fileset are secure from external packet sniffing, package viewer tools, and brute force access. The Client Monitor settings are protected by a unique password assigned by the FileWave Admin at the time of installation of the FileWave client. This password is not readily available to the device's local administrator.

FileWave Server security

The FileWave client communicates to the FileWave Server using SSL. The FileWave server supports multiple sub-administrators. The biggest concern is proper password and account management; but each sub-admin can be limited as to their level of access to clients, Filesets, and services.

Client tracking

A device can be tracked from FileWave Admin. Activating tracking involves setting the client state of the device to Normal and the current user of the device will receive a notification asking them to approve tracking (iOS and OS X only). Android devices will request that all client permissions be granted at installation, and Windows devices do not provide any user notification. Only devices on Wi-Fi will be tracked.

These tracking options can be disabled for any FileWave administrator account by modifying their permissions in the FileWave Admin. You can also have a global change on your FileWave license by requesting to disable Personal Data Collection. Keep in mind, disabling Personal Data Collection will not only prevent FileWave from gathering location data but also other personal data on the device.

Disaster recovery

Backup of both the server environment and end user data are critical areas of planning. Backup of your servers can be as simple as taking snapshots of the VMs at regular intervals. The FileWave server is running a database using SQL, and as such, you cannot use normal backup solutions to insure its safety. Use the information on the FileWave Support site to make sure you properly back up the server. 

Supply-Chain Attack Threat Management

Question

How does FileWave reduce the risk of supply-chain attacks against the FileWave product and release process?

Answer

Supply-chain attacks are a serious risk for software vendors, especially vendors that provide endpoint management and IT operations tools. FileWave works to reduce that risk through a layered approach to product development, component management, build automation, release delivery, and security review.

A supply-chain issue can be introduced in more than one place: internal source code, a build or release process, a partner component, a third-party library, or an open-source dependency. FileWave also publishes Open Source Software used in FileWave, which lists documented open-source components. Because of that, FileWave treats supply-chain protection as an ongoing process rather than a single control.

FileWave's controls focus on limiting where release components come from, making the product assembly process repeatable, reducing manual release steps where practical, reviewing known material vulnerabilities, and responding to feedback from security researchers, vendors, customers, and the broader security community.

No security process is perfect, so FileWave continues to review and improve its tools and processes as cybersecurity threats and attack methods change.

Apache CVE-2006-20001 / CVE-2022-36760 / CVE-2022-37436

What

On January 17, 2023, Apache released version 2.4.55 to address three vulnerabilities (CVE-2006-20001/CVE-2022-36760/CVE-2022-37436).

When/Why

Our development team has reviewed these vulnerabilities and found that FileWave is not vulnerable to any of them.

How

Two of the modules are not used and the third module exploit is not relevant for our implementation. We plan to incorporate Apache version 2.4.55 or later in the next possible release.

Security Notice: Apache log4j Vulnerability CVE-2021-44228

What

CVE-2021-44228 is the Apache Log4j2 vulnerability commonly known as Log4Shell. It was disclosed in December 2021 and affected vulnerable Log4j2 versions where attacker-controlled JNDI lookups could lead to remote code execution.

FileWave's product assessment found that FileWave Server, Boosters, IVS, and Clients were not impacted by CVE-2021-44228.

Why

This page is retained as a historical security notice for customers who need to answer security questionnaires, audit older records, or confirm FileWave's Log4j assessment.

How

No FileWave-side patch or configuration change is required specifically for CVE-2021-44228 for the FileWave components covered by this notice.

If you are validating an environment:

  1. Confirm that the system being reviewed is a FileWave Server, Booster, IVS, or Client component.
  2. Review any non-FileWave Java applications or services on the same hosts separately, since this notice only covers FileWave products.
  3. If the environment is old or unsupported, compare the installed FileWave version with current FileWave support guidance and any newer FileWave security notices.

Related Content