Mule Runtime 3.9.1 Release Notes

Initial Release: April 23, 2018

Mule Runtime 3.9.1 includes fixes and patch update releases.

September 2023

What’s New

This release includes security updates.

Patch release version: 3.9.1-20230823

This patch update addresses the following issues:

Description	Issue
This release includes important security enhancements and fixes.	W-13916544

Description

Issue

This release includes important security enhancements and fixes.

W-13916544

There is no DataWeave update for this version this month.

For guidance with the patching process, see Apply Patch Updates.

May 2023

Patch release version: 3.9.1-20230424

This patch update addresses the following issues:

Description	Issue
This release fixes runtime generated usage metrics.	W-12981071

Description

Issue

This release fixes runtime generated usage metrics.

W-12981071

There is no DataWeave update for this version this month.

For guidance with the patching process, see Apply Patch Updates.

April 23, 2018

This document describes new features and enhancements, known limitations, issues, and fixes in Mule Runtime 3.9.1.

Be sure to read this document before you install this release. For reference, save these release notes to your hard drive or print a copy.

New Features and Enhancements

Regarding API Gateway capabilities:

This patch version ships with the OpenID Connect library missing on v3.9.0, which allows to use the out-of-the-box OpenID Connect oAuth 2.0 token enforcement policy.
In the previous version, in the case of APIKit based Mule apps, only the root RAML was uploaded by API Autodiscovery when the API was created. Now the root RAML and the files specified in the include entries of the RAML, which are included in the Mule application in folders which are present in the root, are also uploaded.
This version enhances analytics data with Host name information.
Outage management is improved: Backoff behavior and its corresponding logs, Gatekeeper behavior when initializing and Gatekeeper flexible mode logs on Cloudhub.
Security fixes.
DataWeave:
- Adds support for surrogated chars in UTF-8.
- Adds a new system property to control caches: com.mulesoft.dw.mapping.cache.size for mapping cache, com.mulesoft.dw.p_function.cache.size to control p function cache.
- Supporting RFC 4180. Empty quotes are treated as empty values.
- Support for underflow and overflow.
Mule as Websphere/Weblogic Custom Service
- New functionality was added to manage license keys in the default OS Java preferences location. This is used for effective license verification when Mule is deployed as a Mule Websphere Custom Service.

Changes in This Release

Disable TLS_RSA encryption ciphers as part of protection against the ROBOT attack (https://robotattack.org/)
Remove Drools module from distribution (check the Drools doc for details in case you need to use it: https://docs.mulesoft.com/mule-user-guide/v/3.9/drools-module-reference)
Gatekeeper’s default configuration value is now updated from strict to flexible.

Fixed Issues

Issue Description

Issue	Description
MULE-14866	Only asynchronous notifications should receive a copy of the MuleEvent.
MULE-14835	In until-successful scope, if an exception occurs only the last retry payload is closed.
MULE-14829	HTTP listener does not close streams when NEVER is set
MULE-14775	JMSConnector can’t reconnect if the broker breaks when the application is stopped
MULE-14764	HttpRequester lifecycle is not managed properly in OAuth scenarios.
MULE-14683	Mime Type Disappears Dissapears in VM inbound when under load
MULE-14623	JMSMessageToObject causes NPE in debug mode.
MULE-14605	Deadlock when two JDBC connections are created concurrently before the DriverManager classloading takes place
MULE-14601	Json Schema Validator treats duplicate keys in an inconsistent way depending on the input type.
MULE-14549	CXF is writing payload after the latest boundary in multipart/related scenarios
MULE-14541	Status code validators cannot handle spaces in the values
MULE-14540	Use an independent lock to synchronize the lifecycle of the MuleContext
MULE-14531	In XML Schema Validation Filter, ErrorHandler doesn’t receive validation error notifications
MULE-14529	XMLSecureFactories is setting unsupported properties at factories creation.
MULE-14507	When payload is empty, HTTP Requester should send a zero content length.
MULE-14461	transactional element not propagating flowConstruct
MULE-14421	After domain full redeployment failure, all dependent applications are removed.
MULE-14416	Optimise HTTP retry on remotely close logic
MULE-14408	MVEL error in chained calls where two or more objects of the chain possess the same method signature
MULE-14381	Process empty files In File Connector should be optional
MULE-14357	ClassCastException in FileConnector restart
MULE-14319	encoded characters in SMTP username cause failure on reconnection
MULE-14309	Domain is not being disposed with its own classloader.
MULE-14304	SFTP Connector not masking Passwords in Exceptions and Logs with bad host/port
MULE-14297	OAuth is not supported in domain scenarios.
MULE-14287	MEL caching strategy is inconsistent when the variable accesor is set
MULE-14282	When an accExpr is not compiled yet DataType propagation generates a NPE
MULE-14264	Fix HttpRequestProxyConfigTestCase
MULE-14194	HTTP connector fails to close streaming content connection from HEAD request
MULE-14178	JMS connector is printing DEBUG logs as ERROR
MULE-14160	HTTP Connector does not route OAuth tokens request through proxy.
MULE-14135	getFullStackTrace has to be added to ExceptionUtils to guarantee retrocompatibility
MULE-14133	Change DISCARD and DISCARD_OLDEST behavior so that the http connector does not timeout
MULE-14123	In FTP Transport, checking if a resource is a file degrades performance
MULE-14115	In Db Module, CLOB implementation is JDBC version dependent.
MULE-14098	When resolving importBase for JAR files in WSDL solving, Unix separator has to be preserved
MULE-14053	Update commons-io to 2.6 to avoid problems when deserialize primitive types
MULE-14035	Automatic retry on remote Closed exception does not respect RFC 7320
MULE-14030	SAXParseException when trying to import nested xsd
MULE-14019	Deserialization does not handle primitive types
MULE-14009	Mule context not disposed if doTearDown method fails
MULE-14004	TransactionManager and TransactionManagerFactory definition should be mutually exclusive
MULE-13978	SFTP logging does not mask credentials when special regex chars in password
MULE-13974	ObjectToJMSMessage does not register source types
MULE-13969	SFTP receiver reconnection is invoking exceptionListener twice.
MULE-13963	idempotent-message-filter throws null pointer exception when onUnaccept forwards to a sub-flow
MULE-13941	Dynamic flow reference from a For-Each causes 'ConcurrentModificationException'
MULE-13935	In Message Filter, unacceptedMessageProcessor is not being notified
MULE-13934	Failure when attempting to access an XSD file with an WSDL with an HTTP/HTTPS base path
MULE-13933	MVEL functions with object instantiations doesn’t work well in heavy load.
MULE-13916	Race condition when firing rules from concurrent threads in drools module
MULE-14383	Disable RSA encryption ciphers
MULE-13833	Change default sslType to use the JVM’s one.
MULE-13825	Users must be able to set the name of a stream inside encrypted file of PGP
MULE-13811	EventGroup is not disposing unused object store partitions
MULE-13788	Oauth authentication using refreshTokenWhen parameter is not retaining attachments and properties
MULE-13761	Add serial version UID in SimpleDataType to allow migration in case of changes from older version
MULE-13746	Race condition when verifying group expiration just before resequencer finishes
MULE-13738	Is not possble to tell in some DeploymentListener notifications if they’re fired by an app or domain
MULE-13737	SftpClient are not released in permission failure scenarios.
MULE-13732	GraphTransformerResolver is not handling correctly concurrency access
MULE-13729	Collection Aggregator does not honor the arrival order
MULE-13723	Support out-of-browser applications in OAuth module redirect url
MULE-13718	ClusterCoreExtension is not being loaded as a domain deployment listeners
MULE-13698	PollingReceiverWorker should clean RequestContext after performing poll.
MULE-13678	When more than one regex is used as a file system, trim is not performed
MULE-13398	Propagation of SSL prevents Jackson serialization of InboundProperties
MULE-13034	Error responses with special characters should be scaped
MULE-12617	Prefetch size cannot be set for activemq-connector to guarantee order
MULE-12400	Mule referencing buggy jruby-engine pom
MULE-10304	Application redeployment fails to undeploy old application
MULE-9658	Empty timeZone in poll doesn’t fallback to server time zone
MULE-8923	maxRows on db:select element is not really substitutable
EE-5988	Jdbc object store in cluster creates a connection pool for every JdbcMap
EE-5960	Provide capability to transform file names in database cluster object store
EE-5901	JDBCMapStore is commiting auto-commit transactions.
EE-5895	JdbcMapStore is not SQL92 compliant.
EE-5866	HTTP request fails when certain multiple encoded characters are included.
EE-5762	BitronixTransactionManager can’t be referenced from Spring beans.
EE-5760	BatchJobInstance does not wait for all dispatched records to finish before shutting down
EE-5723	Fix Serialization problems when AMQP and Caching Strategy are used together.
EE-5700	Bitronix does not clean ActiveMQ ended transaction contexts in case of failure/recovery
EE-5689	Batch test cases do not dispose context if final assertions fail
EE-5069	Possible DoS in HTTP transport due to old commons-httpclient
EE-4965	JDBC Map Store - Application name length limitation
AGW-2047	Missing OpenID Connect lib from v3.9.1 distribution
AGW-1772	Error saving policy cache file when api name or version have invalid filename characters
AGW-1474	Some Throttling configurations may allow DoS attacks
AGW-1951	Pointcut cache can have key collisions when using resource level policies and +1 sources
AGW-1946	API created with auto discovery from RAML 1.0 spec with includes doesn’t attach includes
AGW-1788	Small insecurity window regression
AGW-1640	S3 backup access forbidden to bucket
AGW-1786	Missing logs in CloudHub
AGW-1737	API Gateway Agent does not work with proxy with authentication
AGW-1809	Apply backoff on IOException
AGW-1780	Analytic sending 200 when the flow ended with a 500
AGW-1487	API Auto Discovery is uploading only the Root RAML
AGW-1563	SLA tiers change [agw-policy-watcher] warns about a policy direct modification
AGW-1586	Outage status codes property not being used for backoff
AGW-1458	Backport entry limits to Analytics cache
AGW-1771	AnalyticsQueue addAll only adds till the first successful
(No Issue Number)	DataWeave fixes: Fixes security vulnerability in Apache POI. Enum should not be kept as Enum and not converted to String. DataWeave was generating wrong number values instances on Java writer. Excel was not able to do random access. Relative timezones such as Australia/NSW should be resolved against the shifted time and not local. Equals should work based on values and not types. DataWeave failed to parse an XML attribute. `sizeOf` operator should work over numbers with system property `com.mulesoft.dw.sizeOfIntEnabled`. Fixes `Weave reader not able to reuse values`. Avoid exception propagation. DataWeave was double-escaping on large XML payloads.

MULE-14866

Only asynchronous notifications should receive a copy of the MuleEvent.

MULE-14835

In until-successful scope, if an exception occurs only the last retry payload is closed.

MULE-14829

HTTP listener does not close streams when NEVER is set

MULE-14775

JMSConnector can’t reconnect if the broker breaks when the application is stopped

MULE-14764

HttpRequester lifecycle is not managed properly in OAuth scenarios.

MULE-14683

Mime Type Disappears Dissapears in VM inbound when under load

MULE-14623

JMSMessageToObject causes NPE in debug mode.

MULE-14605

Deadlock when two JDBC connections are created concurrently before the DriverManager classloading takes place

MULE-14601

Json Schema Validator treats duplicate keys in an inconsistent way depending on the input type.

MULE-14549

CXF is writing payload after the latest boundary in multipart/related scenarios

MULE-14541

Status code validators cannot handle spaces in the values

MULE-14540

Use an independent lock to synchronize the lifecycle of the MuleContext

MULE-14531

In XML Schema Validation Filter, ErrorHandler doesn’t receive validation error notifications

MULE-14529

XMLSecureFactories is setting unsupported properties at factories creation.

MULE-14507

When payload is empty, HTTP Requester should send a zero content length.

MULE-14461

transactional element not propagating flowConstruct

MULE-14421

After domain full redeployment failure, all dependent applications are removed.

MULE-14416

Optimise HTTP retry on remotely close logic

MULE-14408

MVEL error in chained calls where two or more objects of the chain possess the same method signature

MULE-14381

Process empty files In File Connector should be optional

MULE-14357

ClassCastException in FileConnector restart

MULE-14319

encoded characters in SMTP username cause failure on reconnection

MULE-14309

Domain is not being disposed with its own classloader.

MULE-14304

SFTP Connector not masking Passwords in Exceptions and Logs with bad host/port

MULE-14297

OAuth is not supported in domain scenarios.

MULE-14287

MEL caching strategy is inconsistent when the variable accesor is set

MULE-14282

When an accExpr is not compiled yet DataType propagation generates a NPE

MULE-14264

Fix HttpRequestProxyConfigTestCase

MULE-14194

HTTP connector fails to close streaming content connection from HEAD request

MULE-14178

JMS connector is printing DEBUG logs as ERROR

MULE-14160

HTTP Connector does not route OAuth tokens request through proxy.

MULE-14135

getFullStackTrace has to be added to ExceptionUtils to guarantee retrocompatibility

MULE-14133

Change DISCARD and DISCARD_OLDEST behavior so that the http connector does not timeout

MULE-14123

In FTP Transport, checking if a resource is a file degrades performance

MULE-14115

In Db Module, CLOB implementation is JDBC version dependent.

MULE-14098

When resolving importBase for JAR files in WSDL solving, Unix separator has to be preserved

MULE-14053

Update commons-io to 2.6 to avoid problems when deserialize primitive types

MULE-14035

Automatic retry on remote Closed exception does not respect RFC 7320

MULE-14030

SAXParseException when trying to import nested xsd

MULE-14019

Deserialization does not handle primitive types

MULE-14009

Mule context not disposed if doTearDown method fails

MULE-14004

TransactionManager and TransactionManagerFactory definition should be mutually exclusive

MULE-13978

SFTP logging does not mask credentials when special regex chars in password

MULE-13974

ObjectToJMSMessage does not register source types

MULE-13969

SFTP receiver reconnection is invoking exceptionListener twice.

MULE-13963

idempotent-message-filter throws null pointer exception when onUnaccept forwards to a sub-flow

MULE-13941

Dynamic flow reference from a For-Each causes 'ConcurrentModificationException'

MULE-13935

In Message Filter, unacceptedMessageProcessor is not being notified

MULE-13934

Failure when attempting to access an XSD file with an WSDL with an HTTP/HTTPS base path

MULE-13933

MVEL functions with object instantiations doesn’t work well in heavy load.

MULE-13916

Race condition when firing rules from concurrent threads in drools module

MULE-14383

Disable RSA encryption ciphers

MULE-13833

Change default sslType to use the JVM’s one.

MULE-13825

Users must be able to set the name of a stream inside encrypted file of PGP

MULE-13811

EventGroup is not disposing unused object store partitions

MULE-13788

Oauth authentication using refreshTokenWhen parameter is not retaining attachments and properties

MULE-13761

Add serial version UID in SimpleDataType to allow migration in case of changes from older version

MULE-13746

Race condition when verifying group expiration just before resequencer finishes

MULE-13738

Is not possble to tell in some DeploymentListener notifications if they’re fired by an app or domain

MULE-13737

SftpClient are not released in permission failure scenarios.

MULE-13732

GraphTransformerResolver is not handling correctly concurrency access

MULE-13729

Collection Aggregator does not honor the arrival order

MULE-13723

Support out-of-browser applications in OAuth module redirect url

MULE-13718

ClusterCoreExtension is not being loaded as a domain deployment listeners

MULE-13698

PollingReceiverWorker should clean RequestContext after performing poll.

MULE-13678

When more than one regex is used as a file system, trim is not performed

MULE-13398

Propagation of SSL prevents Jackson serialization of InboundProperties

MULE-13034

Error responses with special characters should be scaped

MULE-12617

Prefetch size cannot be set for activemq-connector to guarantee order

MULE-12400

Mule referencing buggy jruby-engine pom

MULE-10304

Application redeployment fails to undeploy old application

MULE-9658

Empty timeZone in poll doesn’t fallback to server time zone

MULE-8923

maxRows on db:select element is not really substitutable

EE-5988

Jdbc object store in cluster creates a connection pool for every JdbcMap

EE-5960

Provide capability to transform file names in database cluster object store

EE-5901

JDBCMapStore is commiting auto-commit transactions.

EE-5895

JdbcMapStore is not SQL92 compliant.

EE-5866

HTTP request fails when certain multiple encoded characters are included.

EE-5762

BitronixTransactionManager can’t be referenced from Spring beans.

EE-5760

BatchJobInstance does not wait for all dispatched records to finish before shutting down

EE-5723

Fix Serialization problems when AMQP and Caching Strategy are used together.

EE-5700

Bitronix does not clean ActiveMQ ended transaction contexts in case of failure/recovery

EE-5689

Batch test cases do not dispose context if final assertions fail

EE-5069

Possible DoS in HTTP transport due to old commons-httpclient

EE-4965

JDBC Map Store - Application name length limitation

AGW-2047

Missing OpenID Connect lib from v3.9.1 distribution

AGW-1772

Error saving policy cache file when api name or version have invalid filename characters

AGW-1474

Some Throttling configurations may allow DoS attacks

AGW-1951

Pointcut cache can have key collisions when using resource level policies and +1 sources

AGW-1946

API created with auto discovery from RAML 1.0 spec with includes doesn’t attach includes

AGW-1788

Small insecurity window regression

AGW-1640

S3 backup access forbidden to bucket

AGW-1786

Missing logs in CloudHub

AGW-1737

API Gateway Agent does not work with proxy with authentication

AGW-1809

Apply backoff on IOException

AGW-1780

Analytic sending 200 when the flow ended with a 500

AGW-1487

API Auto Discovery is uploading only the Root RAML

AGW-1563

SLA tiers change [agw-policy-watcher] warns about a policy direct modification

AGW-1586

Outage status codes property not being used for backoff

AGW-1458

Backport entry limits to Analytics cache

AGW-1771

AnalyticsQueue addAll only adds till the first successful

(No Issue Number)

DataWeave fixes:

Fixes security vulnerability in Apache POI.
Enum should not be kept as Enum and not converted to String.
DataWeave was generating wrong number values instances on Java writer.
Excel was not able to do random access.
Relative timezones such as Australia/NSW should be resolved against the shifted time and not local.
Equals should work based on values and not types.
DataWeave failed to parse an XML attribute.
sizeOf operator should work over numbers with system property com.mulesoft.dw.sizeOfIntEnabled.
Fixes Weave reader not able to reuse values.
Avoid exception propagation.
DataWeave was double-escaping on large XML payloads.

Enhancement Request Issues

Issue	Description
MULE-14580	Update DefaultResourceReleaser for newer mysql versions
MULE-12551	Fix commons-beanutils vulnerability
EE-6010	Support PowerPC Little endian
EE-5991	Allow the user to configure cluster datasource as cluster properties
EE-5816	Need to validate Hostname resolution and error reporting in Mule HTTP module
EE-4945	JDBC Map Store: Add support for configurable DataSource
AGW-1953	API tracking is not retried in case of error in secondary nodes
AGW-1995	Add Host Server name as part of the Analytics data 3.x

Issue

Description

MULE-14580

Update DefaultResourceReleaser for newer mysql versions

MULE-12551

Fix commons-beanutils vulnerability

EE-6010

Support PowerPC Little endian

EE-5991

Allow the user to configure cluster datasource as cluster properties

EE-5816

Need to validate Hostname resolution and error reporting in Mule HTTP module

EE-4945

JDBC Map Store: Add support for configurable DataSource

AGW-1953

API tracking is not retried in case of error in secondary nodes

AGW-1995

Add Host Server name as part of the Analytics data 3.x

Known Limitations and Workarounds

Issue	Description
MULE-14848	Cxf does not correctly resolve Exchange Pattern in bindings with multiple operations

Issue

Description

MULE-14848

Cxf does not correctly resolve Exchange Pattern in bindings with multiple operations

Upgrade Requirements

Issue	Description
MULE-14381	By default, the File Connector processes empty files. For disabling this behavior use the mule.transport.file.ignoreEmptyFiles=true system property
MULE-14507	The HTTP Requester now sends a zero content length in empty payloads scenarios. For disabling this behavior use the mule.http.client.avoidZeroContentLength=true system property.
MULE-14169	Remove Drools module from distribution (check the Drools doc for details in case you need to use it: https://docs.mulesoft.com/mule-user-guide/v/3.9/drools-module-reference)

Issue

Description

MULE-14381

By default, the File Connector processes empty files. For disabling this behavior use the mule.transport.file.ignoreEmptyFiles=true system property

MULE-14507

The HTTP Requester now sends a zero content length in empty payloads scenarios. For disabling this behavior use the mule.http.client.avoidZeroContentLength=true system property.

MULE-14169

Remove Drools module from distribution (check the Drools doc for details in case you need to use it: https://docs.mulesoft.com/mule-user-guide/v/3.9/drools-module-reference)

Library Changes

Issue	Description
MULE-14842	Update commons-lang version to 2.6
MULE-14832	Update commons-httpclient to 3.1-14-MULE-001
MULE-14831	Update Jackson 1 to 1.9.14-MULE-002
MULE-14795	Upgrade Jackson 2 to Upgrade Jackson to 2.9.5
MULE-14763	Upgrade Jetty to 9.2.24.v20180105
MULE-14639	Upgrade jruby-stdlib to 9.1.16.0 in Scripting Module
MULE-14618	Upgrade Spring JMS to 4.1.9.RELEASE-MULE-001
MULE-14462	Upgrade MVEL to 2.1.9-MULE-015 version
MULE-14442	Upgrade Grizzly version 2.3.35
MULE-14382	Upgrade BouncyCastle to 1.59
MULE-14144	Upgrade Spring LDAP to 2.3.2
MULE-14053	Update commons-io to 2.6 to avoid problems when deserialize primitive types
MULE-13487	Upgrade JAXB to version 2.3.0-MULE-001 and CXF to 2.7.19-MULE-003.

Issue

Description

MULE-14842

Update commons-lang version to 2.6

MULE-14832

Update commons-httpclient to 3.1-14-MULE-001

MULE-14831

Update Jackson 1 to 1.9.14-MULE-002

MULE-14795

Upgrade Jackson 2 to Upgrade Jackson to 2.9.5

MULE-14763

Upgrade Jetty to 9.2.24.v20180105

MULE-14639

Upgrade jruby-stdlib to 9.1.16.0 in Scripting Module

MULE-14618

Upgrade Spring JMS to 4.1.9.RELEASE-MULE-001

MULE-14462

Upgrade MVEL to 2.1.9-MULE-015 version

MULE-14442

Upgrade Grizzly version 2.3.35

MULE-14382

Upgrade BouncyCastle to 1.59

MULE-14144

Upgrade Spring LDAP to 2.3.2

MULE-14053

Update commons-io to 2.6 to avoid problems when deserialize primitive types

MULE-13487

Upgrade JAXB to version 2.3.0-MULE-001 and CXF to 2.7.19-MULE-003.

Compatibility Notes

The unified Mule Runtime 3.9.1 and API Gateway is compatible with APIkit 3.9.1.
This version of Mule runtime is bundled with the Runtime Manager Agent plugin version 1.9.5.
This release is supported on Anypoint Private Cloud Edition 1.6.1 and later.

Software Compatibility Testing

Mule was tested on the following software:

Software	Version
JDK	Oracle JDK 1.8.0 (Recommended JDK 1.8.0_151/52), IBM JDK 1.8, OpenJDK 8
OS	MacOS 10.11.x, HP-UX 11i V3, AIX 7.2, Windows Server 2019, Windows 10, Solaris 11.3, RHEL 7, Ubuntu Server 16.04
Application Servers	Tomcat 7, Tomcat 8, Weblogic 12c, Wildfly 8, Wildfly 9, Websphere 8, Jetty 8, Jetty 9
Databases	Oracle 11g, Oracle 12c, MySQL 5.5+, DB2 10, PostgreSQL 9, Derby 10, Microsoft SQL Server 2014

Software

Version

JDK

Oracle JDK 1.8.0 (Recommended JDK 1.8.0_151/52), IBM JDK 1.8, OpenJDK 8

MacOS 10.11.x, HP-UX 11i V3, AIX 7.2, Windows Server 2019, Windows 10, Solaris 11.3, RHEL 7, Ubuntu Server 16.04

Application Servers

Tomcat 7, Tomcat 8, Weblogic 12c, Wildfly 8, Wildfly 9, Websphere 8, Jetty 8, Jetty 9

Databases

Oracle 11g, Oracle 12c, MySQL 5.5+, DB2 10, PostgreSQL 9, Derby 10, Microsoft SQL Server 2014

Note that for RHEL 7, kernel version 3.10.0-1062 has an issue related to log4j2 that you can address by following guidance in the MuleSoft Knowledge Base article Mule Runtime CPU Utilization Increased After Patching the Linux Kernel to Kernel-3.10.0-1062.