Mirth Connect Open Source 4.5 Test Partner drop.

[ARShelleyNextGen]

Hello Mirth Community !

The NextGen Healthcare Mirth Connect team is excited to announce the commencement of our work on the upcoming release of Mirth Connect OSS version 4.5. In this iteration, we are focusing on updating numerous dependent libraries to their latest versions.
Over the next four months, our strategy involves sharing periodic "Test Partner” drops of version 4.5 with the community. These "Test Partner” releases are designed to enable the community to explore and test your channels and workflow prior to the final general release (GR) version of 4.5, which is scheduled for the end of January 2024.

We will use this communication channel to keep you informed about new drops and offer high-level documentation detailing the libraries incorporated in each drop. Your assistance in testing this version in your playground/development environments is greatly appreciated. It's important to note that these "Test Partner” drops are strictly for testing purposes and should not be deployed in production environments until the final GR version is officially released in January 2024.

While you explore and assess these drops, we encourage you to utilize this GitHub discussion thread to provide feedback. Our team will be actively monitoring the thread for updates. If you encounter any issues, please promptly update this thread with your findings. We will evaluate these issues and work towards resolving them in upcoming drops or future versions, taking into consideration their severity and impact on our users' business operations. Your feedback is invaluable in ensuring the quality and reliability of Mirth Connect version 4.5.

Installation Recommendations for Beta Drops:
Please keep in mind that these are "Test Partner" drops and should not be applied to any Production-level setting. It's crucial to understand this and deploy these drops in a playground or development environment to avoid any impact on the existing setup. Here are some recommended installation procedures:

1. Set up in a "fresh" environment - starting from scratch.
2. Upgrade your current playground/development environment.
   2a.We highly advise creating a backup or clone of your current environment before proceeding with the upgrade. This ensures you can revert to the previous state if needed.
3. For future beta drops, we cannot guarantee an in-place upgrade over an existing beta drop at this time. The final GR version will support in-place upgrades for non-beta versions, akin to all previous versions.

Here is where you can access these drops:
4.5 Beta Drops

Again, we Thank you for your help and feedback.
If you have any specific question or concerns please feel free to contact myself Alan Shelley ( [email protected] ) Mirth connect Engineering Manager or Jackie Knight ( [email protected] ) Mirth Connect Product Manager or just post a comment to this thread.

Thank You.

[ARShelleyNextGen]

9/22/2023 - 4.5.b2954 drop contains the following fixes:

Updated Apache Xerces to 2.12.2

We've updated Apache Xerces from version 2.9.1 to 2.12.2. This update addresses the following vulnerabilities:

• CVE-2022-23437
• CVE-2018-2799
• CVE-2012-0881

We've also updated Apache xml-apis from version 1.0.b2 to 1.4.01. There are no vulnerabilities associated with this library, but it is a dependency of Xerces, and it was required to update it.

Updated Jackson to 2.14.3

We've updated several Jackson libraries from version 2.11.3 to 2.14.3. This update addresses the following vulnerabilities:

• CVE-2020-36518
• CVE-2020-28491
• CVE-2021-46877
• CVE-2022-42003
• CVE-2022-42004

Updated Netty to 4.1.97

We've updated Netty from version 4.1.53 to 4.1.97. This update addresses the following vulnerabilities:

• CVE-2021-37136
• CVE-2021-37137
• CVE-2022-41881
• CVE-2021-21290
• CVE-2021-21295
• CVE-2021-21409
• CVE-2021-43797
• CVE-2022-24823

We have also updated the Netty NIO client to 2.20.140 and Netty reactive streams to 2.0.8.

[jonbartels]

Will jSch be updated in 4.5? #5608

[ARShelleyNextGen]

@jonbartels Yes, we have it targeted for a drop in late December right before our Jan 2024 GR of 4.5.

[tonygermano]

While looking into this issue I noticed that jaxws-rt-2.3.0.2.jar is incredibly old (about 15 years.) I don't know if updating to the current version (4.0.1) would solve the issue or not. Is that library on the roadmap?

[ARShelleyNextGen]

@tonygermano the team took a look at the issue you reference as it related to the Jar you reference and concluded those don't appear to be connected in any way. As for the jax-rt-2.3.0.2.jar file is not an item we have planned to address in the upcoming releases. That being said we are still in the beginning phase, and it could still come up as needing to be updated once we get into the other tasks.

[jonbartels]

Is the 4.5 beta derived directly from the main development branch? If not, which branch?

The commits seem to align with the stated library updates https://github.com/nextgenhealthcare/connect/commits/development/

[ARShelleyNextGen]

@jonbartels it is from the development branch - we wanted to make it easy for people to grab it in an installable state.

[jonbartels]

I looked at the release notes for:

• Xerces - https://xerces.apache.org/xerces2-j/releases.html -> I do not see any changes that would be likely to upset Mirth or any usages of Xerces from channel code.
• xml-apis - https://xerces.apache.org/xml-commons/changes.html -> I did not spend any time reading these. The last release was in 2009. If Mirth code or channel code somehow breaks on an update that old then we deserve it.
• Jackson - https://github.com/FasterXML/jackson/wiki/Jackson-Releases -> The release notes are quite thorough. Nothing jumped out at me as being a problem but XML related issues, when they occur, are often subtle and very dependent on the data being handled.
• Netty - https://netty.io/news/ -> A bit long to really read and digest.

@ARShelleyNextGen two topics for you and your team:

1. I see that Jackson is not being updated to the latest, why 2.14.3 instead of 2.15.2?
2. These are larger jumps in dependencies. It needs to be done and will help pass security scans. What plans or policies can we expect in future releases? Going forward, will libraries be updated in smaller jumps with each Mirth release?

I am currently fiddling with my container builds to try out MC 4.5 betas. Thank you again for doing this in the open.

[ARShelleyNextGen]

@jonbartels Thank You for taking the time to review these changes and providing your feedback. A few answers for you:

1. Jackson: We saw that in versions above 2.14.3 had some features in them that would require us to make some larger changes since we still have Java 1.8. We will look to address those at a later time.
2. Larger Jumps: Yup - we have spent too much time kicking the can down the road. In the 4.5 release we are trying to catch up to a reasonable spot. After 4.5 our plan to get better at doing smaller chucks of technical debt. We don't want to find ourselves doing another full App Sec release. Only time will tell how good we are at that - that is my challenge/expectation I have placed on our Engineering and Product Teams in the planning phases.

[jonbartels]

I see that Lisa updated Velocity today also.

Release notes: https://velocity.apache.org/engine/devel/changes.html

Deprecated 2.1 flag velocimacro.arguments.preserve_literals in favor of the new valocimacro_enable_bc_mode flag, which will also, like 1.7 does, use global context values as defaults for missing macro arguments which do not have an explicit default value. .
...
Also allow hyphen in subproperties when the corresponding backward compatibility flag is on . Fixes VELOCITY-912.

Emphasis mine. This is a category of change where the NextGen devs/leads do need to think about the updates. Is Mirth passing any properties to velocity that should or should-not use these backwards compatible flags?

I am not sure if this matters for Velocity specifically. I present it here as an example of what to watch for when updating libraries. Make an active choice to run in backwards compatible modes or not. Something in the release notes to the effect of, "Users using advanced Velocity mappings should review these release notes and test their code. Typical, simple Velocity substitutions are unaffected."

Velocity Tools Release Notes: https://velocity.apache.org/tools/3.1/changes.html

This was just 3.0 to 3.1. The deprecations might matter but I don't see Mirth using Velocity in an advanced way that would be affected.

[ARShelleyNextGen]

@jonbartels Thank you for the feedback I have brought your feedback to the Engineers attention as to what to keep in mind when making these changes. This is exactly the type of feedback we are looking to achieve by experimenting with our Test Partner drops.

[joaryche]

the development team had dealt with the hyphen issue three years ago when upgrading the velocity library to 2.1. the connect project doesn't use the preserve_literals flag internally. I like the release notes warning.

[JensVercruysse]

Are there any plans to update the jersey client and switch to jakarta instead of javax?

[JackieK5]

A Jersey update is on the 4.5.0 schedule but at this time we have no plans to switch to jakarta.

[jonbartels]

@ARShelleyNextGen since you're upgrading libraries, would 4.5 also be a good chance to address this issue requesting an SBOM? #5852

[ARShelleyNextGen]

@jonbartels I thought I responded 2 weeks ago to this ask. My bad. I had passed along your feedback to the Product Manager for prioritization as well as passed it along to Engineers to see if they are aware of anywhere in our current build process that could generate a SBOM.

[ARShelleyNextGen]

Hello Again Mirth Community !

The NextGen Team has updated the Beta drop folder with a new drop: 4.5.b2974. This drop is cumulative of what was available in the last one on 9/22/2023.

10/18/2023 - 4.5.b2974 drop contains the following fixes:

Updated Apache commons-beanutils to 1.9.4

We've updated Apache commons-beanutils from version 1.9.3 to 1.9.4. This update addresses the following vulnerability:

CVE-2019-10086

Added Apache commons-digester3 3.2

We've added the Apache commons-digester3-3.2 library. We've removed the Apache commons-digester-2.0 library from all components. If you are referencing this library in your code, please refer to the commons-digester3-3.2 library instead. This change addresses the following vulnerabilities:

• CVE-2019-10086
• CVE-2014-0114

Updated Apache commons-fileupload to 1.5

We've updated Apache commons-fileupload from version 1.4 to 1.5. This update addresses the following vulnerability:

• CVE-2023-24998

Updated Apache commons-io to 2.13.0

We've updated Apache commons-io from version 2.6 to 2.13.0. This update addresses the following vulnerability:

• CVE-2021-29425

Updated Apache commons-lang3 to 3.13.0

We've updated Apache commons-lang3 from version 3.9 to 3.13.0. There are no vulnerabilities associated with this library. We've removed the Apache commons-lang-2.6 library from all components. If you are referencing this library in your code, please refer to the commons-lang3-3.13.0 library instead.

Updated Apache Velocity Engine to 2.3

We've updated Apache velocity-engine-core from version 2.2 to 2.3. This update addresses the following vulnerabilities:

• CVE-2022-41853
• CVE-2020-15250

Updated Apache Velocity Tools to 3.1

We've updated Apache velocity-tools-generic from version 3.0 to 3.1. This update addresses the following vulnerabilities:

• CVE-2020-15250
• CVE-2019-10086

Installation Recommendations for Beta Drops:
Please keep in mind that these are "Test Partner" drops and should not be applied to any Production-level setting. It's crucial to understand this and deploy these drops in a playground or development environment to avoid any impact on the existing setup. Here are some recommended installation procedures:

1. Set up in a "fresh" environment - starting from scratch.
2. Upgrade your current playground/development environment.
   2a.We highly advise creating a backup or clone of your current environment before proceeding with the upgrade. This ensures you can revert to the previous state if needed.
3. For future beta drops, we cannot guarantee an in-place upgrade over an existing beta drop at this time. The final GR version will support in-place upgrades for non-beta versions, akin to all previous versions.

Here is where you can access these drops:
4.5 Beta Drops

Again, we Thank you for your help and feedback.
If you have any specific question or concerns please feel free to contact myself Alan Shelley ( [email protected] ) Mirth connect Engineering Manager or Jackie Knight ( [email protected] ) Mirth Connect Product Manager or just post a comment to this thread.

[ARShelleyNextGen]

Hello Again Mirth Community !

The NextGen Team has updated the Beta drop folder with a new drop: 4.5.b2974. This drop is cumulative of what was available in the last one on 10/18/2023.

11/15/2023 - 4.5.0.b2988 drop contains the following fixes:

Updated Apache commons-compress to 1.24.0
We've updated Apache commons-compress from version 1.17 to 1.24.0. This update addresses the following vulnerabilities:

CVE-2019-12402
CVE-2021-35515
CVE-2021-35516
CVE-2021-35517
CVE-2021-36090

Updated Apache Derby to 10.14.2.0
We've updated Apache derby and derbytools from version 10.10.2.0 to 10.14.2.0. This update addresses the following vulnerabilities:

CVE-2015-1832
CVE-2018-1313

Removed Jasypt Library
We've removed the jasypt library. This update addresses the following vulnerability:

CVE-2014-9970

Updated MySQL JDBC Driver to 8.1.0
We've updated MySQL JDBC Driver from version 8.0.16 to 8.1.0. This update addresses the following vulnerability:

CVE-2020-1967

Updated PostgreSQL JDBC Driver to 42.6.0
We've updated PostgreSQL JDBC Driver from version 42.2.19 to 42.6.0. This update addresses the following vulnerabilities:

CVE-2022-41946
CVE-2022-31197
CVE-2022-26520
CVE-2022-21724

Updated SQLite JDBC Driver to 3.43.2.1
We've updated SQLite JDBC Driver from version 3.7.2 to 3.43.2.1. This update addresses the following vulnerabilities:

CVE-2017-10989
CVE-2019-19646
CVE-2020-11656
CVE-2019-8457

Here is where you can access these drops:
4.5 Beta Drops

Installation Recommendations for Beta Drops:
Please keep in mind that these are "Test Partner" drops and should not be applied to any Production-level setting. It's crucial to understand this and deploy these drops in a playground or development environment to avoid any impact on the existing setup.

Here are some recommended installation procedures:

1.Set up in a "fresh" environment - starting from scratch.
2. Upgrade your current playground/development environment.
2a.We highly advise creating a backup or clone of your current environment before proceeding with the upgrade. This ensures you can revert to the previous state if needed.
3.For future beta drops, we cannot guarantee an in-place upgrade over an existing beta drop at this time. The final GR version will support in-place upgrades for non-beta versions, akin to all previous versions.

Again, we Thank you for your help and feedback.
If you have any specific question or concerns please feel free to contact myself Alan Shelley ( [email protected] ) Mirth connect Engineering Manager or Jackie Knight ( [email protected] ) Mirth Connect Product Manager or just post a comment to this thread.

[jonbartels]

Removed Jasypt Library

That was a new one to me. It hasn't been updated since 2019! Good call :D

JDBC

The various JDBC updates are good ones. We see a few questions in Slack where newer installations need newer JDBC drivers and options to work, notably on cloud based DBs that require stricter authentication mechanisms.

Updated Apache commons-compress

Users with DIRECT or XDM connections running through Mirth might want to pay attention to this one. As I recall the bundle standard for XDM and DIRECT is to construct a ZIP attachment with a certain structure. This ZIP is likely generated using commons-compress. I would generaly expect the Apache updates to be well behaved and not-breaking; trust but verify.

[ARShelleyNextGen]

@jonbartels Thank You for your comments. Its looking like maybe 1 or 2 more drop before our GR candidate will be ready for final testing. Have a wonderful holiday and thanks again for taking the time to provide feedback.

[jonbartels]

https://forums.mirthproject.io/forum/mirth-connect/support/18801-new-feature-mirth-logging-replacement/page3#post184269 - Good example of a developer who was able to use the beta-drop to improve a widely used logging tool for Mirth.

[ARShelleyNextGen]

@jonbartels Thank for posting. We are very pleased that our beta drop was able to help. MC 4.5 has a lot of new library updates, and our intent is to ensure the Mirth Community is ahead of the game once the GR of 4.5 is available.

[linxd]

how about bcprov-jdk18on-177.jar ?
hikaricp 3.x?
mybatis 3.5.x?

[ARShelleyNextGen]

@linxd We did have MyBatis targeted for the 4.5 but that didn't make it - we do plan on that getting pushed to the 4.6 timeline. No plans for the other libraries mentioned above.

Question back to you - What on those libraries are you concerned with that you feel they need to raise to the top of the priority list? Please give me some more info of the value they will bring to you and your organization, and I will see if we can move them up based upon that additional information you provide.

[ARShelleyNextGen]

Hello Mirth Community !

The NextGen Team has completed its final Development sprint, and we are heading into regression testing with this build. This will be our final Test Partner build prior to being GR. You can find the latest in the Beta drop folder with this version in the name: 4.5.b3010. This drop is cumulative of what was available in the last one on 11/15/2023.

01/12/2024 - 4.5.0.b3010 drop contains the following fixes:

Core Mirth Connect

Fixed Defects

Updated Ports in Use

We fixed an issue where the Ports in Use dialog would not display when a filter/transformer contains a variable named 'listenerConnectorProperties'.

Updated Reprocess Attachment Handler to Always Include Attachments

We fixed an issue which failed to include an attachment when reprocessing a multipart message. This affects messages where the attachment is not embedded within the raw message but is included in a separate boundary within the multipart message.

Fixed API Endpoint for Web Service Connector Services

We fixed a null pointer exception that occurred when the SSL Plugin was installed but the destination web service connector was not utilizing the SSL Manager.
We also made the following enhancements:

1. We removed the requirement for the channel name on all web service API requests to simplify the request.
2. All fields that are required are now noted for validation.
3. We changed descriptions to better explain the more complex instructions needed for the API requests.

Security Improvements

Library Updates

Reverted Apache Derby to 10.10.2.0

In a previous beta release, we upgrade Apache Derby to 10.14.2.0, but we've since found compatibility errors when upgrading, so we've reverted the library.

Updated JDOM to JDOM2 2.0.6.1

We've updated the JDOM library from version 1.1.1 to JDOM2 version 2.0.6.1. This update addresses the following vulnerabilities:

• CVE-2021-33813

Updated Jetty to 9.4.53

We've updated several Jetty libraries from version 9.4.44 to 9.4.53. We've also updated several Jetty library dependencies (javax and asm). This update addresses the following vulnerabilities:

• CVE-2022-2047
• CVE-2022-2048
• CVE-2023-26048
• CVE-2023-26049
• CVE-2023-36478
• CVE-2023-36479
• CVE-2023-40167
• CVE-2023-41900
• CVE-2023-44487

Replaced JSch Library with mwiede's Implementation

We've replaced the official JSch library with the most recent version of mwiede's implementation which is a drop-in replacement. The official library is no longer maintained, while mwiede's library is actively maintained with bug fixes and security updates. Thanks to jonbartels for submitting the community issue and the pull request.

Updated Quartz Scheduler to 2.3.2

We've updated Quartz Scheduler from version 2.1.7 to 2.3.2. This update addresses the following vulnerability:

• CVE-2019-13990

Removed SoapUI and XMLBeans Libraries

We've removed the SoapUI and XMLBeans libraries. This update addresses the following vulnerability in XMLBeans, which is a dependency of SoapUI:

• CVE-2021-23926

Removed woodstox-core and stax2-api Libraries

We've removed the woodstox-core and stax2-api libraries. This update addresses the following vulnerability:

• CVE-2022-40152

Updated XStream to 1.4.20

We've updated XStream from version 1.4.19 to 1.4.20. This update addresses the following vulnerabilities:

• CVE-2022-40151
• CVE-2022-41966

Here is where you can access these drops:
4.5 Beta Drops

Installation Recommendations for Beta Drops:

Please keep in mind that these are "Test Partner" drops and should not be applied to any Production-level setting. It's crucial to understand this and deploy these drops in a playground or development environment to avoid any impact on the existing setup.

Here are some recommended installation procedures:

1.Set up in a "fresh" environment - starting from scratch.
2. Upgrade your current playground/development environment.
2a.We highly advise creating a backup or clone of your current environment before proceeding with the upgrade. This ensures you can revert to the previous state if needed.
3.For future beta drops, we cannot guarantee an in-place upgrade over an existing beta drop at this time. The final GR version will support in-place upgrades for non-beta versions, akin to all previous versions.

Again, we Thank you for your help and feedback.
If you have any specific question or concerns please feel free to contact myself Alan Shelley ( [email protected] ) Mirth connect Engineering Manager or Jackie Knight ( [email protected] ) Mirth Connect Product Manager or just post a comment to this thread.