-
Notifications
You must be signed in to change notification settings - Fork 280
4.4.1 Upgrade Guide
We've changed XStream to use an allowlist instead of a denylist. This means that only a strict list of types are allowed to be serialized or deserialized in Mirth Connect. This will likely have no effect on your Mirth Connect installation. However, if you have custom channel implementations that happen to serialize or deserialize types that are not allowed by default, you may encounter ForbiddenClassException
errors or something similar. To fix this problem, you'll need to allow those specific types by adding one or both of the following properties to your mirth.properties
file:
-
xstream.allowtypes
- A comma-separated list of fully-qualified classes to allow. These classes can include wildcards. Example values arecom.my.package.MyClass
,com.my.package.MyClass$MyInnerClass
, andcom.my.package.*
. -
xstream.allowtypehierarchies
- A comma-separated list of fully-qualified type hierarchies to allow. This means that these classes and their subclasses will be allowed. An example value iscom.my.package.MyParentClass
.
Please note that you can still use the property, xstream.denytypes
, that allows you to explicitly deny types from being serialized or deserialized using XStream. It takes a comma-separated list of fully-qualified classes and can include wildcards. This denylist takes precedence over the allowlist.
This update was made in response to an Unauthenticated Remote Command Execution vulnerability that was identified within Mirth Connect Core version 4.4.0 and lower. Please refer to CVE-2023-43208 for more details on the vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2023-43208
For further information, please refer to Mirth Connect 441 Info & FAQs.pdf
- Home
- Frequently Asked Questions
- Source Code Contribution
- Java Licensing
- How to Contribute to the Wiki
- Administrator Launcher (MCAL)
-
Mirth Connect
-
Release Notes
- 4.5.0 - What's New
- 4.4.0 - What's New
- 4.3.0 - What's New
- 4.2.0 - What's New
- 4.1.0 - What's New
- 4.0.0 - What's New
- 3.12.0 - What's New
- 3.11.0 - What's New
- 3.10.0 - What's New
- 3.9.0 - What's New
- 3.8.0 - What's New
- 3.7.0 - What's New
- 3.6.0 - What's New
- 3.5.0 - What's New
- 3.4.0 - What's New
- 3.3.0 - What's New
- 3.2.0 - What's New
- 3.1.0 - What's New
- 3.0.0 - What's New
- Upgrading
-
Release Notes
- User Guide
- Commercial Extensions
- Examples and Tutorials