HTTP Connector Security Update - Mule 3

Released: February 5, 2015

Version Impacted: Mule 3.6.0

Component Impacted: HTTP Connector

What is the issue?

The new HTTP connector released in Mule 3.6.0 when configured to act as a HTTPS client does not validate the certificate presented by the remote server prior to establishing the TLS/SSL connection.

What are the impacts of this issue?

Any certificate provided by the server is implicitly accepted and processing continues. This potentially exposes messages sent by the HTTP Connector to man-in-the-middle attacks or certain forms of impersonation attacks.

What are the mitigating factors against this vulnerability?

As Mule 3.6.0 was recently released (GA: January 17, 2015), it is unlikely customers have migrated to the new HTTP Connector. Mule applications leveraging the previously available HTTP Transport are not impacted.

What is being done about this?

MuleSoft has identified and resolved this vulnerability and immediately made a patch available for enterprise subscription customers. The patch can be downloaded from the customer portal. This fix has been incorporated into Mule 3.6.1 which MuleSoft released on March 4, 2015 and is available from the customer portal as well as from and

If I am affected, what can I do in the interim?

Enterprise customers using the new HTTP Connector in Mule ESB 3.6.0 are strongly advised apply the patch immediately or upgrade to Mule ESB 3.6.1. Please reference the support knowledge base for more information on this process.

Community customers who do not have access to the patch are advised to use the old HTTP Transport or upgrade to Mule 3.6.1.

How does this issue impact my CloudHub deployment?

CloudHub users who had deployed applications to Mule 3.6.0 EE needed to restart those applications to take advantage of a patch applied to CloudHub on February 5, 2015. Now that Mule 3.6.1 EE is available in CloudHub, customers no longer have the option to deploy to Mule 3.6.0 EE.

Was this article helpful?

💙 Thanks for your feedback!

Give us your feedback!
We want to build the best documentation experience for you!
Help us improve with your feedback.
Take the survey!