4.0.0 What's New

Mirth Connect 4.0.0 includes some new features like a new JavaScript Debugger feature, Login Notice and Consent dialog and options, Inactivity Logout and options, and many smaller changes, updates, and improvements. This release also contains several improvements to commercial extensions.

• Core Mirth Connect
  • New Features
    • JavaScript Debugger
    • Custom Notice and Consent Window
    • Automatic Logout from Administrator
    • Easily Accessible User Guide
    • Channel Management Improvements
    • Improved Logging When Using Deprecated MessageHeaders.get(key) method
    • Upgraded Open Source License
  • Fixed Defects
    • Fixed Database Reader XML Tags
    • Fixed Memory Leak in Web Service Listener
    • Fixed JSON to XML Conversion Issue
  • Security Improvements
    • Suppress Sensitive Information
    • Updated Libraries
      • Jetty Libraries
      • Apache Commons FileUpload Library
      • Rhino
      • Apache Commons Collections 3 Returns
    • Updated Default Supported TLS Protocols and Cipher Suites
• Commercial Extension Improvements
  • Advanced Clustering
    • Performance Improvements

You can find the list of completed issues for this release here.

Core Mirth Connect

New Features

JavaScript Debugger

We've created a feature that allows you to debug JavaScript code within your channels and code templates. Specifically, you can debug your channel scripts (Deploy, Undeploy, Preprocessor, and Postprocessor scripts), attachment scripts, batch scripts, filters, transformers, Database Connector scripts, and JavaScript Connector scripts. You'll notice a new Debug Channel button in the Channels view and the Channel Edit view that you can use to deploy a channel in debug mode.

After clicking the button, you're presented with options on which scripts to debug.

After making your selection, debugger windows for each script will appear as the channel is deployed and/or when the channel receives a message.

Please see the User Guide for an in-depth guide on using the JavaScript debugger including prerequisite setup steps and known limitations.

Custom Notice and Consent Window

We added a new feature that allows you to create a custom notice that is displayed upon login to all users. The user must consent to the notice before being allowed to proceed, and a corresponding entry is added to the Event Log whenever a user consents. This feature satisfies security requirements that are necessary for some organizations.

You can configure this feature in the Server Settings.

Automatic Logout from Administrator

We've created a new feature to automatically log a user out of the Administrator UI after a specified period of inactivity. A new Event Log entry is added when this occurs. This feature can be toggled on or off in the Server Settings, and you can also specify the auto logout interval there. (Community Issue)

Easily Accessible User Guide

We added a button to the Administrator UI to quickly access the User Guide.

Channel Management Improvements

When importing channels, you can now select multiple channels at once.

When attempting to deploy a disabled channel from within the Channel Edit view, you will now see a pop-up asking if you'd like to enable and deploy the channel.

Improved Logging When Using Deprecated MessageHeaders.get(key) method

The "deprecated method" log message when using the get(key) method from a MessageHeaders object now includes the value of key. This makes it easier for users to identify where they are using the deprecated method. The drag-and-drop JavaScript references, Get HTTP Request Header and Get HTTP Response Header, now use the non-deprecated getHeader(key) method instead. (Community Issue)

Upgraded Open Source License

We updated Mirth Connect's Open Source License from Mozilla Public License 1.1 (MPL 1.1) to Mozilla Public License 2.0 (MPL 2.0).

Fixed Defects

Fixed Database Reader XML Tags

We fixed a defect that was introduced in Mirth Connect 3.12.0 regarding the casing of XML tags when using the Database Reader. See the upgrade guide for more information. (Community Issue)

Fixed Memory Leak in Web Service Listener

We fixed a memory leak issue in which sun.net.httpserver.HttpConnection objects could be retained indefinitely even after the connections were closed. (Community Issue)

Fixed JSON to XML Conversion Issue

We addressed a problem with our JSON to XML conversion methods in which the order of JSON nodes could cause the conversion to fail.

Security Improvements

Suppress Sensitive Information

Mirth Connect will no longer return the Jetty version in response headers or show the "Powered by Jetty..." text on error response pages. Also, responses will no longer return a stack trace limiting the response to only a relevant message derived from the stack trace. (Community Issue 1)

Mirth Connect will no longer send the Apache version in the user-agent header of HTTP requests and will instead send "Mirth Connect" by default. This default user agent can be overridden with a different user agent by populating your own user-agent header in the HTTP Sender's "Headers" table. (Community Issue 2)

Updated Libraries

Jetty Libraries

The following CVEs have been addressed by updating Jetty libraries from 9.4.21 to 9.4.44 (Community Issue):

• CVE-2020-27216
• CVE-2021-28165
• CVE-2019-17632
• CVE-2020-27223
• CVE-2020-27218
• CVE-2021-34428

Also, this Jetty update fixes an issue with Jetty causing blocked threads eventually necessitating a restart of the Mirth Connect server. Community Issue

Apache Commons FileUpload Library

The following CVEs have been addressed by updating Apache Commons FileUpload 1.2.1 to 1.4:

• CVE-2014-0050
• CVE-2016-1000031
• CVE-2016-3092

Rhino

Updated Rhino library from version 1.7.12 to 1.7.13 which fixes an issue with JS bundle and having rhino.languageversion=1.8 or rhino.languageversion=es6. (Community Issue)

Apache Commons Collections 3 Returns

Previously, Apache Commons Collections 3.x was removed in an attempt to consolidate Commons Collections usage to 4.x. Unfortunately, some other libraries (Apache Commons BeanUtils) still rely on 3.x so 3.2.2 has been brought in. (Community Issue)

Updated Default Supported TLS Protocols and Cipher Suites

In 4.0.0, TLSv1.1 has been disabled and the TLS protocols enabled by default are:

• Client Protocols: TLSv1.3,TLSv1.2
• Server Protocols: TLSv1.3,TLSv1.2,SSLv2Hello

Also, the following weak cipher suites have been disabled by default:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

For more information on TLS Protocol and Cipher Suite changes see the 4.0.0 Upgrade Guide.

Commercial Extension Improvements

Advanced Clustering

Performance Improvements

Fixed a race condition introduced in 3.12.0 where servers which were configured to store the configuration map in the database could encounter an infinite loop constantly trying to update the configuration map and submit cluster tasks.

Fixed an issue where multiple servers could acquire the same lock simultaneously when using the TCP Notification Service (for example, when configuring a channel for guaranteed message order) causing multiple servers to attempt to process the same message.

Fixed an issue introduced in 3.12.0 when disabling Strict Channel Synchronization on servers using a newer version of Java (example: Java 11) where the server would try to set the channel task pool size to a number greater than the maximum pool size causing an exception in newer Java versions.