HTTP Connector Security Update
Released: February 5, 2015
Version Impacted: Mule ESB 3.6.0
Component Impacted: HTTP Connector
The new HTTP connector released in Mule ESB 3.6.0 when configured to act as a HTTPS client does not validate the certificate presented by the remote server prior to establishing the TLS/SSL connection.
Any certificate provided by the server is implicitly accepted and processing continues. This potentially exposes messages sent by the HTTP Connector to man-in-the-middle attacks or certain forms of impersonation attacks.
As Mule ESB 3.6.0 was recently released (GA: January 17, 2015), it is unlikely customers have migrated to the new HTTP Connector. Mule applications leveraging the previously available HTTP Transport are not impacted.
MuleSoft has identified and resolved this vulnerability and immediately made a patch available for enterprise subscription customers. The patch can be downloaded from the customer portal. This fix has been incorporated into Mule ESB 3.6.1 which MuleSoft released on March 4, 2015 and is available from the customer portal as well as from mulesoft.org and mulesoft.com.
Enterprise customers using the new HTTP Connector in Mule ESB 3.6.0 are strongly advised apply the patch immediately or upgrade to Mule ESB 3.6.1. Please reference the support knowledge base for more information on this process.
Community customers who do not have access to the patch are advised to use the old HTTP Transport or upgrade to Mule ESB 3.6.1.
CloudHub users who had deployed applications to Mule ESB 3.6.0 EE needed to restart those applications to take advantage of a patch applied to CloudHub on February 5, 2015. Now that Mule ESB 3.6.1 EE is available in CloudHub, customers no longer have the option to deploy to Mule ESB 3.6.0 EE.