Nav

HTTP Connector Security Update

Released: February 5, 2015

Version Impacted: Mule ESB 3.6.0

Component Impacted: HTTP Connector

What is the issue?

The new HTTP connector released in Mule ESB 3.6.0 when configured to act as a HTTPS client does not validate the certificate presented by the remote server prior to establishing the TLS/SSL connection.

What are the impacts of this issue?

Any certificate provided by the server is implicitly accepted and processing continues. This potentially exposes messages sent by the HTTP Connector to man-in-the-middle attacks or certain forms of impersonation attacks.

What are the mitigating factors against this vulnerability?

As Mule ESB 3.6.0 was recently released (GA: January 17, 2015), it is unlikely customers have migrated to the new HTTP Connector. Mule applications leveraging the previously available HTTP Transport are not impacted.

What is being done about this?

MuleSoft has identified and resolved this vulnerability and immediately made a patch available for enterprise subscription customers. The patch can be downloaded from the customer portal. This fix has been incorporated into Mule ESB 3.6.1 which MuleSoft released on March 4, 2015 and is available from the customer portal as well as from mulesoft.org and mulesoft.com.

If I am affected, what can I do in the interim?

Enterprise customers using the new HTTP Connector in Mule ESB 3.6.0 are strongly advised apply the patch immediately or upgrade to Mule ESB 3.6.1. Please reference the support knowledge base for more information on this process.

Community customers who do not have access to the patch are advised to use the old HTTP Transport or upgrade to Mule ESB 3.6.1.

How does this issue impact my CloudHub deployment?

CloudHub users who had deployed applications to Mule ESB 3.6.0 EE needed to restart those applications to take advantage of a patch applied to CloudHub on February 5, 2015.  Now that Mule ESB 3.6.1 EE is available in CloudHub, customers no longer have the option to deploy to Mule ESB 3.6.0 EE.