Mirth Connect 4.0.0 includes new features such as a JavaScript Debugger, Login Notice and Consent dialog with options, Inactivity Logout with options, as well as many smaller changes, updates, and improvements. This release also contains several improvements to commercial extensions.

• Core Mirth Connect
  • New Features
    • JavaScript Debugger
    • Custom Notice and Consent Window
    • Automatic Logout from Administrator
    • Easily Accessible User Guide
    • Channel Management Improvements
    • Improved Logging When Using Deprecated MessageHeaders.get(key) method
    • Upgraded Open Source License
  • Fixed Defects
    • Fixed Database Reader XML Tags
    • Fixed Memory Leak in Web Service Listener
    • Fixed JSON to XML Conversion Issue
  • Security Improvements
    • Suppress Sensitive Information
    • Updated Libraries
      • Jetty Libraries
      • Apache Commons FileUpload Library
      • Rhino
      • Apache Commons Collections 3 Returns
    • Updated Default Supported TLS Protocols and Cipher Suites
• Commercial Extension Improvements
  • Advanced Clustering
    • Performance Improvements

You can find the list of completed issues for this release here.

We've created a feature that allows you to debug JavaScript code within your channels and code templates. Specifically, you can debug your channel scripts (Deploy, Undeploy, Preprocessor, and Postprocessor scripts), attachment scripts, batch scripts, filters, transformers, Database Connector scripts, and JavaScript Connector scripts. It's important to understand that the Debugger and its user interface runs on the server side which means, to take advantage of the debugger, you will need to alter the headless parameter that is set when running your server by editing the mcserver.vmoptions or mcservice.vmoptions files setting the java.awt.headless parameter to false.

-Djava.awt.headless=false

Once you have made that change, and you have started your server, channels will be able to debugged properly.

You'll notice a new Debug Channel button in the Channels view and the Channel Edit view that you can use to deploy a channel in debug mode.

After clicking the button, you're presented with options on which scripts to debug.

After making your selection, debugger windows for each script will appear as the channel is deployed and/or when the channel receives a message.

Please see the User Guide for an in-depth guide on using the JavaScript debugger including prerequisite setup steps and known limitations.

We added a new feature that allows you to create a custom notice that is displayed upon login to all users. The user must consent to the notice before being allowed to proceed, and a corresponding entry is added to the Event Log whenever a user consents. This feature satisfies security requirements that are necessary for some organizations.

You can configure this feature in the Server Settings.

We've created a new feature to automatically log a user out of the Administrator UI after a specified period of inactivity. A new Event Log entry is added when this occurs. This feature can be toggled on or off in the Server Settings, and you can also specify the auto logout interval there. (Community Issue)

We added a button to the Administrator UI to quickly access the User Guide.

When importing channels, you can now select multiple channels at once.

When attempting to deploy a disabled channel from within the Channel Edit view, you will now see a pop-up asking if you'd like to enable and deploy the channel.

The "deprecated method" log message when using the get(key) method from a MessageHeaders object now includes the value of key. This makes it easier for users to identify where they are using the deprecated method. The drag-and-drop JavaScript references, Get HTTP Request Header and Get HTTP Response Header, now use the non-deprecated getHeader(key) method instead. (Community Issue)

We updated Mirth Connect's Open Source License from Mozilla Public License 1.1 (MPL 1.1) to Mozilla Public License 2.0 (MPL 2.0).

We fixed a defect that was introduced in Mirth Connect 3.12.0 regarding the casing of XML tags when using the Database Reader. See the upgrade guide for more information. (Community Issue)

We fixed a memory leak issue in which sun.net.httpserver.HttpConnection objects could be retained indefinitely even after the connections were closed. (Community Issue)

We addressed a problem with our JSON to XML conversion methods in which the order of JSON nodes could cause the conversion to fail.

Mirth Connect will no longer return the Jetty version in response headers or show the "Powered by Jetty..." text on error response pages. Also, responses will no longer return a stack trace limiting the response to only a relevant message derived from the stack trace. (Community Issue 1)

Mirth Connect will no longer send the Apache version in the user-agent header of HTTP requests and will instead send "Mirth Connect" by default. This default user agent can be overridden with a different user agent by populating your own user-agent header in the HTTP Sender's "Headers" table. (Community Issue 2)

The following CVEs have been addressed by updating Jetty libraries from 9.4.21 to 9.4.44 (Community Issue):

• CVE-2020-27216
• CVE-2021-28165
• CVE-2019-17632
• CVE-2020-27223
• CVE-2020-27218
• CVE-2021-34428

Also, this Jetty update fixes an issue with Jetty causing blocked threads eventually necessitating a restart of the Mirth Connect server. Community Issue

The following CVEs have been addressed by updating Apache Commons FileUpload 1.2.1 to 1.4:

• CVE-2014-0050
• CVE-2016-1000031
• CVE-2016-3092

Updated Rhino library from version 1.7.12 to 1.7.13 which fixes an issue with JS bundle and having rhino.languageversion=1.8 or rhino.languageversion=es6. (Community Issue)

Previously, Apache Commons Collections 3.x was removed in an attempt to consolidate Commons Collections usage to 4.x. Unfortunately, some other libraries (Apache Commons BeanUtils) still rely on 3.x so 3.2.2 has been brought in. (Community Issue)

In 4.0.0, TLSv1.1 has been disabled and the TLS protocols enabled by default are:

• Client Protocols: TLSv1.3,TLSv1.2
• Server Protocols: TLSv1.3,TLSv1.2,SSLv2Hello

Also, the following weak cipher suites have been disabled by default:

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

For more information on TLS Protocol and Cipher Suite changes see the 4.0.0 Upgrade Guide.

Fixed a race condition introduced in 3.12.0 where servers which were configured to store the configuration map in the database could encounter an infinite loop constantly trying to update the configuration map and submit cluster tasks.

Fixed an issue where multiple servers could acquire the same lock simultaneously when using the TCP Notification Service (for example, when configuring a channel for guaranteed message order) causing multiple servers to attempt to process the same message.

Fixed an issue introduced in 3.12.0 when disabling Strict Channel Synchronization on servers using a newer version of Java (example: Java 11) where the server would try to set the channel task pool size to a number greater than the maximum pool size causing an exception in newer Java versions.