Mule Runtime 3.9.0 Release Notes

Initial Release: October 6, 2017

Mule Runtime 3.9.0 includes fixes and patch update releases.

September 2023

What’s New

This release includes security updates.

Patch release version: 3.9.0-20230823

This patch update addresses the following issues:

Description Issue

This release includes important security enhancements and fixes.

W-13916544

There is no DataWeave update for this version this month.

For guidance with the patching process, see Apply Patch Updates.

May 2023

Patch release version: 3.9.0-20230424

This patch update addresses the following issues:

Description Issue

This release fixes runtime generated usage metrics.

W-12981071

There is no DataWeave update for this version this month.

For guidance with the patching process, see Apply Patch Updates.

October 6, 2017

Security Notification for On-Premises Deployments: A security vulnerability was found in this version of the Mule runtime engine. Error handlers do not escape exceptions generated for 404 and other response codes before adding the exceptions to the HTTP response. If the exception contains executable code, the interpreter will execute the code. If you are using this version of the Mule runtime engine on premises, upgrade to the latest version of 3.9.x or migrate to Mule 4. Note that standard support for Mule 3.9.x ends in 2021, though extended support ends in 2024.

Mule Runtime 3.9.0 is focused on customer requested enhancements and bug fixes.
This release allows you to:

  • Support for PGP signatures in Anypoint Enterprise Security

  • Certificate revocation list support for TLS configurations.

  • Communicate with FTP and SFTP servers via proxy.

  • Configure Mule to work with external Hazelcast servers for Anypoint Fabric.

  • Write database queries using the ‘WITH’ operator.

  • Process messages with non-blocking processing strategy and one way flows.

  • Speed startup times with parallel deployment support.

Additionally, this version of the API Gateway introduces mechanisms for alleviating disaster recovery conditions.

  • Gatekeeper is now able to use the last known state of each tracked API. If at initialization time, Anypoint API Platform is unreachable for any reason, the runtime will use the last known state of each tracked API (ie applied policies and registered API Contracts before the disaster condition), until connection is reestablished again; in which case the normal cyclic reconciliation mechanism will be triggered.
    This Gatekeeper functionality also works on Cloudhub workers.

  • Deploying or redeploying an app now runs a reconciliation cycle, independently from the general reconciliation mechanism. This behavior is introduced for the benefit of customers that have long reconciliation cycles and when deploying or redeploying an app have to wait a long time for policies to be applied or restart the runtime itself.
    Both reconciliation mechanisms follow BackOff and BackOn rules to make connection attempts. Logs were also improved to show this with fine grained details.

Software Compatibility Testing

Mule was tested on the following software:

Software Version

JDK

JDK 1.8.0 (Recommended JDK 1.8.0_144)

OS

MacOS 10.11.x, HP-UX 11i V3, AIX 7.2, Windows Server 2019, Windows 10, Solaris 11.3, RHEL 7, Ubuntu Server 16.04

Application Servers

Tomcat 7, Tomcat 8, Weblogic 12c, Wildfly 8, Wildfly 9, Websphere 8, Jetty 8, Jetty 9

Databases

Oracle 11g, Oracle 12c, MySQL 5.5+, DB2 10, PostgreSQL 9, Derby 10, Microsoft SQL Server 2014

Note that for RHEL 7, kernel version 3.10.0-1062 has an issue related to log4j2 that you can address by following guidance in the MuleSoft Knowledge Base article Mule Runtime CPU Utilization Increased After Patching the Linux Kernel to Kernel-3.10.0-1062.

API Gateway is compatible with the following software:

  • APIkit 3.9.0

  • Anypoint Studio 6.4.0

Changes

Flow

  • The initialState property of a flow now supports a property placeholder. You can set The initalState of a flow using a property placeholder such as:

    <flow name="trigger" initialState="${flow.state}"/>

    And define this placeholder from the mule-app.properties file:

    flow.state=stopped

    This is helpful when working in a disaster-recovery environment.

HTTP Listener

  • Support CRL in the HTTP listener. Implement certificate validation through revocation lists for clients connecting to the HTTP listener.

  • Support flag `-Dmule.timeout.disable=true in HTTP Listeners. Disable timeout when listening to external resources.

Remote Hazelcast

  • Support for using clusttering in remote fashion.

Java Service Wrapper

  • Change the default tanuki timeout action When the wrapper detects a timeout in the ping to the runtime, it will generate a DUMP and then restart in place of just restart as it was done before. This is useful for troubleshooting purposes.

Bundled Runtime Manager Agent

This version of Mule runtime comes bundled with the Runtime Manager Agent plugin version 1.9.0.

Anypoint Private Cloud Edition Support

This release is supported on Anypoint Private Cloud Edition 1.6.1 and later.

Community Edition Resolved Issues

Issue Description

MULE-13585

XSD’s imported in WSDL referenced as bare file results in warning while creating request body

MULE-13582

In domain scenarios, MuleMessage is losing its original context after MuleClient.request()

MULE-13577

Statements not closed on when searching metadata

MULE-13558

Http requesters built with the same tlsContext are not cached

MULE-13490

In WSC resolution of URIs containing a long concatenation of relative paths fails

MULE-13476

In Message Filter, unaccepted processor doesn’t modify message nor payload

MULE-13469

WSDL parsing fails with nested included/imported XSDs

MULE-13398

Propagation of SSL prevents Jackson serialization of InboundProperties

MULE-13326

Http non-blocking error handler nor cleaning thread local

MULE-13296

SMTP Transformer is not overriding endpoints attributes in the same flow.

MULE-13286

FTP is not honoring connection timeout in some particular scenarios.

MULE-13280

In File Endpoints, FileAge is not always honored.

MULE-13169

Only create sessions when JMS connection is not being closed to avoid deadlock

MULE-13167

When setting inboundValidationMessage true in soapkit it result in error cannot be cast to org.codehaus.stax2.XMLStreamReader2

MULE-13164

Inconsistent null return from one-way VM inbound endpoint.

MULE-13152

Add warning message to indicate timeout attribute only is taken into account in XA Transactions

MULE-13140

As XPathExpression is not thread safe, it should be accessed with synchronization

MULE-13127

Support for multi-valued "requiredAuthorities" property in AuthorizationFilter was intended, but never properly implemented

MULE-13067

Default Oauth2 token expression fails if JSON has multiple lines

MULE-13057

Cannot access attachments without Content-Disposition name attribute

MULE-13055

Trying to retrieve the mule context from event in transacted polling receiver may result in NPE.

MULE-13050

Filename regex does not take into account commas used for ranges

MULE-13048

MuleEvent does not mask credentials when they are embedded in MessageSourceURI

MULE-13046

In Db Module, it is necessary to use the scale for setting decimal values.

MULE-13038

Parallel deployment thread pool executor uses "caller runs" reject policy instead of "wait"

MULE-13034

Error responses with special characters should be scaped

MULE-12973

Add support for start parameter in http multipart/related response.

MULE-12969

Inconsistent behavior in foreach with collection attribute

MULE-12929

Mule Core Extensions aren’t being stopped if RuntimeExceptions are triggered.

MULE-12818

Xml Schema Validator filter changes mimetype

MULE-12782

Contention on ExceptionUtils.getCause - Upgrade commons lang to >=3.1

MULE-12738

In SftpClient exceptions do not wrap the root SftpException

MULE-12730

Transformer weightings are not correctly sorted when inputweighting does not match but outputweighting matches

MULE-12672

JDOM 1 was excluded in distribution but Flatpack needs it

MULE-12625

An option to set Hazelcast transactions as TWO_PHASE should be available

MULE-12266

Ensure that Notifications provides a copy of the MuleEvent to avoid thread access problems.

MULE-12236

A potential bug by a code smell

MULE-12183

AbstractAsyncRequestReplyRequester should not add correlation sequence to correlationID

MULE-12040

Don’t use application log after the application is undeployed

MULE-12023

In HttpMultipartMuleMessageFactory, multiple threads use instance variable without syncronization

MULE-11948

Error message "Value of {cdata-section-elements} must be a list of QNames in '{uri}local' notation"

MULE-11920

JVM killed ungracefully on shutdown

MULE-11875

Race condition when putting an object in the registry asynchronously and disposing the muleContext at the same time

MULE-11857

A new version of the jws library needs to be updated so that the project is compiled using it.

MULE-11600

Lifecycle is incorrectly applied after application deployment fails

MULE-11301

Cannot change the signature key identifier when using WSS Sign security in the Web Service Consumer.

MULE-11246

Improve PGP Module

MULE-11128

LocationExecutionContextProvider doesn’t mask passwords

MULE-11127

Cannot default to request config requestStreamingMode nor sendBodyMode

MULE-11089

Deployment tries to redeploy when an app has a missing plugin

MULE-10999

Update xmlbeans dependency to our fork in mule-common

MULE-10886

Exception thrown in mule-domain-maven-plugin

MULE-10720

xml-to-dom-transformer default returnType should be org.w3c.dom.Document instead of byte[]

MULE-10719

Double Upload When Releasing With mule-domain-maven-plugin

MULE-8207

Fix ConcurrentModificationException in FileMessageReceiver

MULE-7794

CXF Proxy is throwing NPE when Schemas are imported in WSDL

MULE-1683

When the quartz connector is stopped, standby() method should be invoked instead of shutdown()

MULE-12385

Fix: Some endpoints allow to define a reconnection strategy

AGW-1529

Backoff info logs show insufficient info about the executed task.

AGW-1523

HTTP client responses are not consumed on error causing connection leak.

AGW-1482

Policies and contracts last known state is not preserved in Cloudhub.

AGW-1470

Right after deploying an application, platform policies are not requested.

AGW-1310

When RestClient fails to be initialized there is no automatic attempt to initialize again.

AGW-929

Gatekeeper should be able to use last known state.

Community Edition Enhancement Request

Issue Description

MULE-12961

WSC: Add support for WS-SecurityPolicy.

MULE-12989

Moving tmp folder inside execution (.mule) and remove it when undeploying

MULE-12638

Allow schedulers configuration

MULE-12522

ProcessorNotificationPath badly generated for Transactional scope

MULE-11989

Generic DB Config should accept user and password as attributes

MULE-10718

Enrich HttpClient exception to include request URI

MULE-9218

Http Calls performance degrades after time due grizzly connection pool.

MULE-8252

When the status code is set, http listener should auto complete de reason phrase

MULE-7081

SFTP sizeCheckWaitTime should be applied per poll cycle instead of per file

MULE-6619

Flow initialState should support a property placeholder

MULE-12919

Improve FTP Receiver Reconnection

MULE-12717

Add status parameter to mule.bat

MULE-12245

Remove endorsed XML libraries

Community Edition Migration to Mule 3.9.0

When migrating to Mule 3.9.0, follow the implicit and explicit guidelines related to these issues:

Issue Description

MULE-12245

Old Xalan and Xerces implementations were removed in favor of the newer versions included in Java. Only minor incompatibilities could result such as ordering changes of some XML attributes.

MULE-12017

log4j was updated from 2.5 to 2.8.2 and slf4j from 1.7.7 to 1.7.24. There is a minor incompatibility with code using logger.error(null, "message", e), in which case the first null argument should be omitted.

MULE-11948

Saxon was upgraded from 9.6.0-7 to 9.6.0-10

MULE-9931

Transaction log files size are now restricted by size, using a default size of 500 mb. The configured size is just an approximated value which may be exceeded based on the size of the record store by the transaction. This is configurable using the attribute queueTransactionFilesSize of the <configuration> element.
The size restriction applies to the set of transaction log files for local transactions and XA transactions independently meaning that if both types of transactions are used for queue the set of tx files will use up to 1 gb."

MULE-10100

Processing after a synchronous until successful resulting in a VoidMuleEvent will now continue with the original event.

MULE-10306

XML entity expansion in XML transformers is now disabled by default because it allows DoS attacks. To restore previous behavior use the expandInternalEntities="true" attribute.

MULE-10686

XML entity expansion in Jersey is now disabled by default because it allows DoS attacks. To restore previous behavior use the mule.xml.expandInternalEntities=true property.

MULE-10979

The default response timeout and default transaction timeout can’t be configured using system properties on the command line or in the wrapper.conf file anymore. In replacement, use the configuration element. For example: <configuration defaultResponseTimeout="20000" defaultTransactionTimeout="40000"/>.

MULE-11118

The HTTP listener now replies with status code 503 when the thread pool is exhausted (and poolExhaustedAction="ABORT") instead of closing the socket.

MULE-11825

In a DB template query, to set a DB param with the null value, you can use the "NULL" literal value. For example: <db:in-param name="name" defaultValue="NULL"/>

MULE-12385

Reconnection Strategies can only be defined in connector components or globally (using <configuration> element). In mule 3.x, defining reconnection strategies was being supported by the XSD, but ignored by Runtime. Now, the XSD was changed to not allow to use this invalid configuration.

MULE-12612

As FTP reconnection is at operation level, FTP connector does not support asynchronous reconnection strategies because it only makes sense if reconnection takes place during the start phase of the connector lifecycle. In case you use this kind of reconnection, please change them as follows: <reconnect blocking="true"/> inside FTP Connector, or just remove the blocking attribute.

MULE-13164

Inconsistent null return from one-way VM inbound endpoint. From Mule 3.9 one-way inbound VM endpoints will now consistently return null to Flow using a request-response outbound endpoint or Mule Client using send(). (In previous versions a successful response led to null return yet an error resulted in a message being returned.)

MULE-11246

The secretAliasId parameter isn’t mandatory anymore. If not given, Mule will take the secretAliasId from the message to decrypt. Additionally, from 3.9.x the secretAliasId must be an hexadecimal value.

MULE-11161

The default PGP Encryption algorithm has been changed from CAST5 to AES 256.

Community Updated Libraries

Issue Description

MULE-13336

Update Grizzly to version 2.3.33

MULE-13197

Update json-schema-validator version to 2.2.8

MULE-12590

Upgrade JRuby to 1.7.27

MULE-12821

Upgrade abdera-client to 1.1.3

MULE-12782

Upgrade commons lang to 3.6

MULE-11948

Saxon was upgraded from 9.6.0-7 to 9.6.0-10

MULE-13199

Upgrade Jackson to 2.8.9

MULE-13477

Upgrade Grizzly AHC to 1.14 release

MULE-13443

Upgrade CXF to 2.7.19-MULE-002 patch release.

MULE-9587

Upgrade ActiveMQ to version 5.15.0

MULE-13176

Upgrade commons-validator to 1.6

MULE-12755

Upgrade Drools to 5.2.1.Final

MULE-12754

Upgrade XStream to 1.4.10

MULE-12565

Upgrade Ant to 1.9.6

MULE-10612

Upgrade JAXB to 2.1.17

MULE-10466

Update javax transport version to 1.2

MULE-12344

Update tomcat to 6.0.53

Community Edition Known Issues

MULE-10967 Flow name can’t be a system property used in http listener path

Enterprise Edition Resolved Issues

Issue Description

EE-5686

When stopping a cluster, dispose is not invoked

EE-5563

An option to set Hazelcast transactions as TWO_PHASE should be available

EE-5521

Race condition when finishExecution in batch blocks dispatcher for any job till on complete phase finishes

EE-5384

In WS endpoint, queue is a required attribute when It shouldn’t

EE-5159

Exception locking polling lock on Mule graceful shutdown

EE-5070

Possible DoS in Xerces processing of remote provided XML (CVE-2013-4002)

Enterprise Enhancement Request

Issue Description

EE-5646

Add callables library in EE distributions for hazelcast client mode

EE-5100

Change the default tanuki timeout action

Enterprise Edition Migration to Mule 3.9.0

When migrating to the Mule 3.9.0 Enterprise Environment, follow the implicit and explicit guidelines related to these issues:

Issue Description

EE-5021

Kryo was upgraded from 3.0.3 to 4.0.0. WARNING: A fresh install is required when upgrading to Mule 3.9.

Enterprise Edition Updated Libraries

Issue Description

EE-5021

Upgrade kryo to 4.0.0

Enterprise Edition Known Issues

This version does not support Open ID Connect. You may see the policy available in the UI despite this, but you won’t be able to apply it effectively. It will be supported in later versions.

Community Edition Known Issues

EE-5553 NPE when jmsCorrelationId is null in websphere MQ