This release includes important security enhancements and fixes.
Mule Runtime 3.9.1 Release Notes
Initial Release: April 23, 2018
Mule Runtime 3.9.1 includes fixes and patch update releases.
September 2023
What’s New
This release includes security updates.
Patch release version: 3.9.1-20230823
This patch update addresses the following issues:
Description | Issue |
---|---|
W-13916544 |
There is no DataWeave update for this version this month.
For guidance with the patching process, see Apply Patch Updates.
May 2023
Patch release version: 3.9.1-20230424
This patch update addresses the following issues:
Description | Issue |
---|---|
This release fixes runtime generated usage metrics. |
W-12981071 |
There is no DataWeave update for this version this month.
For guidance with the patching process, see Apply Patch Updates.
April 23, 2018
This document describes new features and enhancements, known limitations, issues, and fixes in Mule Runtime 3.9.1.
Be sure to read this document before you install this release. For reference, save these release notes to your hard drive or print a copy.
New Features and Enhancements
Regarding API Gateway capabilities:
-
This patch version ships with the OpenID Connect library missing on v3.9.0, which allows to use the out-of-the-box OpenID Connect oAuth 2.0 token enforcement policy.
-
In the previous version, in the case of APIKit based Mule apps, only the root RAML was uploaded by API Autodiscovery when the API was created. Now the root RAML and the files specified in the include entries of the RAML, which are included in the Mule application in folders which are present in the root, are also uploaded.
-
This version enhances analytics data with Host name information.
-
Outage management is improved: Backoff behavior and its corresponding logs, Gatekeeper behavior when initializing and Gatekeeper flexible mode logs on Cloudhub.
-
Security fixes.
-
DataWeave:
-
Adds support for surrogated chars in UTF-8.
-
Adds a new system property to control caches:
com.mulesoft.dw.mapping.cache.size
for mapping cache,com.mulesoft.dw.p_function.cache.size
to controlp
function cache. -
Supporting RFC 4180. Empty quotes are treated as empty values.
-
Support for underflow and overflow.
-
-
Mule as Websphere/Weblogic Custom Service
-
New functionality was added to manage license keys in the default OS Java preferences location. This is used for effective license verification when Mule is deployed as a Mule Websphere Custom Service.
-
Changes in This Release
-
Disable TLS_RSA encryption ciphers as part of protection against the ROBOT attack (https://robotattack.org/)
-
Remove Drools module from distribution (check the Drools doc for details in case you need to use it: https://docs.mulesoft.com/mule-user-guide/v/3.9/drools-module-reference)
-
Gatekeeper’s default configuration value is now updated from
strict
toflexible
.
Fixed Issues
Issue | Description |
---|---|
MULE-14866 |
Only asynchronous notifications should receive a copy of the MuleEvent. |
MULE-14835 |
In until-successful scope, if an exception occurs only the last retry payload is closed. |
MULE-14829 |
HTTP listener does not close streams when NEVER is set |
MULE-14775 |
JMSConnector can’t reconnect if the broker breaks when the application is stopped |
MULE-14764 |
HttpRequester lifecycle is not managed properly in OAuth scenarios. |
MULE-14683 |
Mime Type Disappears Dissapears in VM inbound when under load |
MULE-14623 |
JMSMessageToObject causes NPE in debug mode. |
MULE-14605 |
Deadlock when two JDBC connections are created concurrently before the DriverManager classloading takes place |
MULE-14601 |
Json Schema Validator treats duplicate keys in an inconsistent way depending on the input type. |
MULE-14549 |
CXF is writing payload after the latest boundary in multipart/related scenarios |
MULE-14541 |
Status code validators cannot handle spaces in the values |
MULE-14540 |
Use an independent lock to synchronize the lifecycle of the MuleContext |
MULE-14531 |
In XML Schema Validation Filter, ErrorHandler doesn’t receive validation error notifications |
MULE-14529 |
XMLSecureFactories is setting unsupported properties at factories creation. |
MULE-14507 |
When payload is empty, HTTP Requester should send a zero content length. |
MULE-14461 |
transactional element not propagating flowConstruct |
MULE-14421 |
After domain full redeployment failure, all dependent applications are removed. |
MULE-14416 |
Optimise HTTP retry on remotely close logic |
MULE-14408 |
MVEL error in chained calls where two or more objects of the chain possess the same method signature |
MULE-14381 |
Process empty files In File Connector should be optional |
MULE-14357 |
ClassCastException in FileConnector restart |
MULE-14319 |
encoded characters in SMTP username cause failure on reconnection |
MULE-14309 |
Domain is not being disposed with its own classloader. |
MULE-14304 |
SFTP Connector not masking Passwords in Exceptions and Logs with bad host/port |
MULE-14297 |
OAuth is not supported in domain scenarios. |
MULE-14287 |
MEL caching strategy is inconsistent when the variable accesor is set |
MULE-14282 |
When an accExpr is not compiled yet DataType propagation generates a NPE |
MULE-14264 |
Fix HttpRequestProxyConfigTestCase |
MULE-14194 |
HTTP connector fails to close streaming content connection from HEAD request |
MULE-14178 |
JMS connector is printing DEBUG logs as ERROR |
MULE-14160 |
HTTP Connector does not route OAuth tokens request through proxy. |
MULE-14135 |
getFullStackTrace has to be added to ExceptionUtils to guarantee retrocompatibility |
MULE-14133 |
Change DISCARD and DISCARD_OLDEST behavior so that the http connector does not timeout |
MULE-14123 |
In FTP Transport, checking if a resource is a file degrades performance |
MULE-14115 |
In Db Module, CLOB implementation is JDBC version dependent. |
MULE-14098 |
When resolving importBase for JAR files in WSDL solving, Unix separator has to be preserved |
MULE-14053 |
Update commons-io to 2.6 to avoid problems when deserialize primitive types |
MULE-14035 |
Automatic retry on remote Closed exception does not respect RFC 7320 |
MULE-14030 |
SAXParseException when trying to import nested xsd |
MULE-14019 |
Deserialization does not handle primitive types |
MULE-14009 |
Mule context not disposed if doTearDown method fails |
MULE-14004 |
TransactionManager and TransactionManagerFactory definition should be mutually exclusive |
MULE-13978 |
SFTP logging does not mask credentials when special regex chars in password |
MULE-13974 |
ObjectToJMSMessage does not register source types |
MULE-13969 |
SFTP receiver reconnection is invoking exceptionListener twice. |
MULE-13963 |
idempotent-message-filter throws null pointer exception when onUnaccept forwards to a sub-flow |
MULE-13941 |
Dynamic flow reference from a For-Each causes 'ConcurrentModificationException' |
MULE-13935 |
In Message Filter, unacceptedMessageProcessor is not being notified |
MULE-13934 |
Failure when attempting to access an XSD file with an WSDL with an HTTP/HTTPS base path |
MULE-13933 |
MVEL functions with object instantiations doesn’t work well in heavy load. |
MULE-13916 |
Race condition when firing rules from concurrent threads in drools module |
MULE-14383 |
Disable RSA encryption ciphers |
MULE-13833 |
Change default sslType to use the JVM’s one. |
MULE-13825 |
Users must be able to set the name of a stream inside encrypted file of PGP |
MULE-13811 |
EventGroup is not disposing unused object store partitions |
MULE-13788 |
Oauth authentication using refreshTokenWhen parameter is not retaining attachments and properties |
MULE-13761 |
Add serial version UID in SimpleDataType to allow migration in case of changes from older version |
MULE-13746 |
Race condition when verifying group expiration just before resequencer finishes |
MULE-13738 |
Is not possble to tell in some DeploymentListener notifications if they’re fired by an app or domain |
MULE-13737 |
SftpClient are not released in permission failure scenarios. |
MULE-13732 |
GraphTransformerResolver is not handling correctly concurrency access |
MULE-13729 |
Collection Aggregator does not honor the arrival order |
MULE-13723 |
Support out-of-browser applications in OAuth module redirect url |
MULE-13718 |
ClusterCoreExtension is not being loaded as a domain deployment listeners |
MULE-13698 |
PollingReceiverWorker should clean RequestContext after performing poll. |
MULE-13678 |
When more than one regex is used as a file system, trim is not performed |
MULE-13398 |
Propagation of SSL prevents Jackson serialization of InboundProperties |
MULE-13034 |
Error responses with special characters should be scaped |
MULE-12617 |
Prefetch size cannot be set for activemq-connector to guarantee order |
MULE-12400 |
Mule referencing buggy jruby-engine pom |
MULE-10304 |
Application redeployment fails to undeploy old application |
MULE-9658 |
Empty timeZone in poll doesn’t fallback to server time zone |
MULE-8923 |
maxRows on db:select element is not really substitutable |
EE-5988 |
Jdbc object store in cluster creates a connection pool for every JdbcMap |
EE-5960 |
Provide capability to transform file names in database cluster object store |
EE-5901 |
JDBCMapStore is commiting auto-commit transactions. |
EE-5895 |
JdbcMapStore is not SQL92 compliant. |
EE-5866 |
HTTP request fails when certain multiple encoded characters are included. |
EE-5762 |
BitronixTransactionManager can’t be referenced from Spring beans. |
EE-5760 |
BatchJobInstance does not wait for all dispatched records to finish before shutting down |
EE-5723 |
Fix Serialization problems when AMQP and Caching Strategy are used together. |
EE-5700 |
Bitronix does not clean ActiveMQ ended transaction contexts in case of failure/recovery |
EE-5689 |
Batch test cases do not dispose context if final assertions fail |
EE-5069 |
Possible DoS in HTTP transport due to old commons-httpclient |
EE-4965 |
JDBC Map Store - Application name length limitation |
AGW-2047 |
Missing OpenID Connect lib from v3.9.1 distribution |
AGW-1772 |
Error saving policy cache file when api name or version have invalid filename characters |
AGW-1474 |
Some Throttling configurations may allow DoS attacks |
AGW-1951 |
Pointcut cache can have key collisions when using resource level policies and +1 sources |
AGW-1946 |
API created with auto discovery from RAML 1.0 spec with includes doesn’t attach includes |
AGW-1788 |
Small insecurity window regression |
AGW-1640 |
S3 backup access forbidden to bucket |
AGW-1786 |
Missing logs in CloudHub |
AGW-1737 |
API Gateway Agent does not work with proxy with authentication |
AGW-1809 |
Apply backoff on IOException |
AGW-1780 |
Analytic sending 200 when the flow ended with a 500 |
AGW-1487 |
API Auto Discovery is uploading only the Root RAML |
AGW-1563 |
SLA tiers change [agw-policy-watcher] warns about a policy direct modification |
AGW-1586 |
Outage status codes property not being used for backoff |
AGW-1458 |
Backport entry limits to Analytics cache |
AGW-1771 |
AnalyticsQueue addAll only adds till the first successful |
(No Issue Number) |
DataWeave fixes:
|
Enhancement Request Issues
Issue | Description |
---|---|
MULE-14580 |
Update DefaultResourceReleaser for newer mysql versions |
MULE-12551 |
Fix commons-beanutils vulnerability |
EE-6010 |
Support PowerPC Little endian |
EE-5991 |
Allow the user to configure cluster datasource as cluster properties |
EE-5816 |
Need to validate Hostname resolution and error reporting in Mule HTTP module |
EE-4945 |
JDBC Map Store: Add support for configurable DataSource |
AGW-1953 |
API tracking is not retried in case of error in secondary nodes |
AGW-1995 |
Add Host Server name as part of the Analytics data 3.x |
Known Limitations and Workarounds
Issue | Description |
---|---|
MULE-14848 |
Cxf does not correctly resolve Exchange Pattern in bindings with multiple operations |
Upgrade Requirements
Issue | Description |
---|---|
MULE-14381 |
By default, the File Connector processes empty files. For disabling this behavior use the mule.transport.file.ignoreEmptyFiles=true system property |
MULE-14507 |
The HTTP Requester now sends a zero content length in empty payloads scenarios. For disabling this behavior use the mule.http.client.avoidZeroContentLength=true system property. |
MULE-14169 |
Remove Drools module from distribution (check the Drools doc for details in case you need to use it: https://docs.mulesoft.com/mule-user-guide/v/3.9/drools-module-reference) |
Library Changes
Issue | Description |
---|---|
MULE-14842 |
Update commons-lang version to 2.6 |
MULE-14832 |
Update commons-httpclient to 3.1-14-MULE-001 |
MULE-14831 |
Update Jackson 1 to 1.9.14-MULE-002 |
MULE-14795 |
Upgrade Jackson 2 to Upgrade Jackson to 2.9.5 |
MULE-14763 |
Upgrade Jetty to 9.2.24.v20180105 |
MULE-14639 |
Upgrade jruby-stdlib to 9.1.16.0 in Scripting Module |
MULE-14618 |
Upgrade Spring JMS to 4.1.9.RELEASE-MULE-001 |
MULE-14462 |
Upgrade MVEL to 2.1.9-MULE-015 version |
MULE-14442 |
Upgrade Grizzly version 2.3.35 |
MULE-14382 |
Upgrade BouncyCastle to 1.59 |
MULE-14144 |
Upgrade Spring LDAP to 2.3.2 |
MULE-14053 |
Update commons-io to 2.6 to avoid problems when deserialize primitive types |
MULE-13487 |
Upgrade JAXB to version 2.3.0-MULE-001 and CXF to 2.7.19-MULE-003. |
Compatibility Notes
-
The unified Mule Runtime 3.9.1 and API Gateway is compatible with APIkit 3.9.1.
-
This version of Mule runtime is bundled with the Runtime Manager Agent plugin version 1.9.5.
-
This release is supported on Anypoint Private Cloud Edition 1.6.1 and later.
Software Compatibility Testing
Mule was tested on the following software:
Software | Version |
---|---|
JDK |
Oracle JDK 1.8.0 (Recommended JDK 1.8.0_151/52), IBM JDK 1.8, OpenJDK 8 |
OS |
MacOS 10.11.x, HP-UX 11i V3, AIX 7.2, Windows Server 2019, Windows 10, Solaris 11.3, RHEL 7, Ubuntu Server 16.04 |
Application Servers |
Tomcat 7, Tomcat 8, Weblogic 12c, Wildfly 8, Wildfly 9, Websphere 8, Jetty 8, Jetty 9 |
Databases |
Oracle 11g, Oracle 12c, MySQL 5.5+, DB2 10, PostgreSQL 9, Derby 10, Microsoft SQL Server 2014 |
Note that for RHEL 7, kernel version 3.10.0-1062 has an issue related to log4j2 that you can address by following guidance in the MuleSoft Knowledge Base article Mule Runtime CPU Utilization Increased After Patching the Linux Kernel to Kernel-3.10.0-1062.