4.4.1 What's New

Mirth Connect 4.4.1 is a patch release that includes security improvements.

• Core Mirth Connect
  • Security Improvements
    • Switched XStream to Use Allowlist Instead of Denylist
• Docker Images
  • Upgraded OpenSSL on Eclipse Temurin Images

Core Mirth Connect

Security Improvements

An Unauthenticated Remote Command Execution vulnerability has been identified within Mirth Connect Core version 4.4.0 and lower. The XStream update discussed below was made to resolve this issue. Please refer to CVE-2023-43208 for more details on the vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2023-43208

Switched XStream to Use Allowlist Instead of Denylist

Mirth Connect uses the XStream library to serialize and deserialize objects. It is a potential security risk to allow unexpected object types to be processed through XStream. Therefore we are now being more restrictive about what types are allowed by using an allowlist instead of a denylist. The only types allowed are those that are strictly necessary for Mirth Connect to operate. For details on how this may affect Mirth Connect when upgrading, see the upgrade guide.

Docker Images

Upgraded OpenSSL on Eclipse Temurin Images

We've upgraded OpenSSL to version 3.1.3 in the Mirth Connect Eclipse Temurin Docker images. We've done this to address vulnerabilities that exist in OpenSSL 3.0.2. Refer to the following community issues:

• https://github.com/nextgenhealthcare/connect-docker/issues/34
• https://github.com/nextgenhealthcare/connect-docker/issues/35
• https://github.com/nextgenhealthcare/connect-docker/issues/36
• https://github.com/nextgenhealthcare/connect-docker/issues/37
• https://github.com/nextgenhealthcare/connect-docker/issues/38