Last updated: 14-March-2022 3:30 AM PST
Updates to this article are highlighted, below section indicates what has changed that requires customer action

Action required based on latest updates compared to previous updates on 02-Feb-2022

Cloudhub > March monthly patching available that includes Mule Runtime 4.x having 2.17.1 as dependency and Mule Runtime 3.x having 2.12.4
Standalone Mule Runtime (on-premise) > Mule Runtime 4.x section updated - Added new option for runtime version 4.4.0, 4.3.0 to install January patch release instead of multiple manual steps
Standalone Mule Runtime (on-premise) > Mule Runtime 3.x section updated - Added new option for runtime version 3.9.5 to install January patch release instead of multiple manual steps
Private Cloud Edition (PCE) > PCE Control plane > new Hotfix available with the updated third-party library in multiple services to include log4j dependency version 2.17.1

Action required based on latest updates compared to previous updates on 14-Jan-2022

Mule Connectors section > Added the list of connectors with version details for which Mulesoft has published updates
Private Cloud Edition (PCE) > PCE Control plane > new Hotfix available with the updated third-party library in multiple services to include log4j dependency version 2.17.0

Action required based on latest updates compared to previous updates on 14-Jan-2022

Added new section "Maven repositories"
In Munit section, Added Note to use Patched Munit runtime distribution for 4.x runtimes

Action required based on latest updates compared to previous updates on 11-Jan-2022

Standalone Mule Runtime (on-premise) > Mule Runtime 4.x section updated - Added new option for runtime version 4.4.0, 4.3.0 to install January patch release instead of multiple manual steps
Standalone Mule Runtime (on-premise) > Mule Runtime 3.x section updated - Added new option for runtime version 3.9.5 to install January patch release instead of multiple manual steps
Mule Runtime in Studio > Runtimes in Studio 7.x - Update site for all Mule Runtime 4.x is updated with the latest fix when Studio 7.11.1 is used. No additional remediation required for runtimes used in Studio

Action required based on latest updates compared to previous updates on 06-Jan-2022

Cloudhub customers
- CloudHub's monthly patching schedule was rescheduled to one week earlier. As a result, production apps will be patched between January 15, 2022, to January 16, 2022.
Studio 6.x section updated - A new patch release of Anypoint Studio (version 6.6.9) has been made available
MUnit
- "when tests are run from Studio 6.x" section - Instructions updated
- "when running standalone (e.g. CI/CD)" - new plugin release information added

Action required based on latest updates compared to previous updates on 05-Jan-2022

Studio 7.x section updated - A new patch release of Anypoint Studio (version 7.11.1) has been made available
Standalone Mule Runtime (on-premise) > Mule Runtime 3.x section updated - Added new step (step 6 of 7) to patch Dataweave plugin in 3.8.5, 3.9.3 and 3.9.4

Action required based on latest updates compared to previous updates on 03-Jan-2022

Private Cloud Edition - Control plane - HotFix published for PCE control plane 2.0.x
Mule Runtime in Studio > Runtime in Studio 6.x - Added clarification in Step 4 to follow the "Standalone Mule Runtime (on-premise) > Mule Runtime 3.x" instructions
Anypoint Studio renamed the HotPatch file from "Log4JHotpatch.jar" to "Log4jHotpatch.jar" (j being smaller case)

Action required based on latest updates compared to previous updates on 30-Dec-2021

Private Cloud Edition - Control plane - HotFix published for PCE control plane 1.7.x

Action required based on latest updates compared to previous updates on 29-Dec-2021

Updated "About This section of Knowledge Base Article - Mulesoft products are not affected by CVE-2021-44832
Standalone Mule Runtime - [3.9.1 - 3.9.4] - A revised patch was released to address an issue that only happens when a reconfiguration of the log4j context is called by custom code from an app

Action required based on latest updates compared to previous updates on 23-Dec-2021

Private Cloud Edition - Control plane
- HotFix published for PCE control plane 2.1.0
- New HotFix URL for 2.1.1, 2.1.2 ,3.0.0, 3.0.1 - Remove old log4j jar in exchange-rest-connect service
Anypoint Studio - Studio 6.x and Studio 7.x - Added clarification for identifying the ini file in Step 4

Action required based on latest updates compared to previous updates in 21-Dec-2021

Standalone Mule Runtime
- 4.x Updates - New cumulative patch for - 4.1.5 to 4.2.2 released with 2.17.0 version of log4j libraries
- 3.x updates - new patches for 3.8.x, 3.9.x released with 2.12.3 version of log4j libraries
Runtime Fabric - new releases with latest log4j libraries
Mule Agent - new releases with latest log4j libraries
Munit - Mitigation instructions provided
Private cloud edition - Control plane - Fix released for 3.0 and 2.1 version
Cloudhub - new releases with latest log4j libraries

About This Knowledge Base Article

Mule Runtime and Mule Applications make use of the Log4J external library in the code. This article provides a way to address the security issues currently identified in CVE-2021-44228, first reported on December 10, 2021, CVE-2021-45046; first reported on December 14, 2021; and CVE-2021-45105, first reported on December 16, 2021

Mulesoft products are not affected by CVE-2021-4104 and CVE-2021-44832.

Component Versions Affected

MuleSoft (Cloud)
MuleSoft (Cloud) is reported to be affected by CVE-2021-44228 and CVE-2021-45046. Mulesoft services, including dataloader.io, have been updated to mitigate the issues currently identified in CVE-2021-44228 and CVE-2021-45046, and we are executing our final validation steps. Please see additional details below.

MuleSoft (On-Premise)
MuleSoft (On-Premise) is reported to be affected by CVE-2021-44228 and CVE-2021-45046. The service has a mitigation in place. For Private Cloud Edition (PCE) customers, mitigation in place (details are available below). For Anypoint Studio customers, a mitigation is being developed to address the issues currently identified in CVE-2021-44228 and CVE-2021-45046

CloudHub customers:

In order to address the security issues currently identified in CVE-2021-44228, first reported on December 10, 2021, CVE-2021-45046; first reported on December 14, 2021; and CVE-2021-45105, first reported on December 16, 2021, the latest patches for all supported Mule runtime versions were made available on March 8, 2022.

CloudHub applications will be patched according to the revised schedule for monthly updates below:

Sandbox Applications - Between March 21, 2022 and March 25, 2022.
Production Applications - Between March 26, 2022 and March 27, 2022.

Applications that fail to deploy and are running on a patch release prior to the March 8, 2022 release by March 27, 2022, at 5 PM PST, will be stopped.
Please contact support if you are unable to restart and update your application.

To voluntarily update your runtime with the additional fix before your application is forced to restart, please update your runtime release.

On-premise customers:

This issue requires your immediate attention. MuleSoft strongly recommends all on-premise customers take action to update their Mule runtimes as soon as possible. Instructions on how to apply the critical update can be found in this Knowledge Article.

Mule runtime engines associated with the following products, which need to be patched as well:

Anypoint Studio
Runtime Fabric (RTF)
Pivotal Cloud Foundry (PCF)
Private Cloud Edition (PCE)

Mule runtime engines that are in clusters must also be patched.

Standalone Runtime:

Mule Runtime 4.x

Action Required: Mule Runtime 4.x on-premise customers must take action to address the security issues identified in CVE-2021-44228, first reported on December 10, 2021, CVE-2021-45046; first reported on December 14, 2021; and CVE-2021-45105, first reported on December 16, 2021CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105,

In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046, patches for all supported runtime versions were made available to customers on December 23, 2021 at 5:30 PM PST.

A new patch release with the Runtime's log4j library updated to 2.17.1 was made available on March 8, 2022

Mule Runtime 3.x
Action Required: Mule Runtime 3.x on-premise customers must take action to address the security issues identified in CVE-2021-44228, first reported on December 10, 2021, CVE-2021-45046; first reported on December 14, 2021; and CVE-2021-45105, first reported on December 16, 2021CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105,

In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046, patches for all supported runtime versions were made available to customers on December 23, 2021, at 5:30 PM PST.

A new patch release with the Runtime's log4j library updated to 2.12.4 was made available on March 8, 2022

Runtime Fabric:

Action Required: Mule Runtime 3.x and 4.x Runtime Fabric customers must take action to address the security issues identified in CVE-2021-44228, first reported on December 10, 2021, CVE-2021-45046; first reported on December 14, 2021; and CVE-2021-45105, first reported on December 16, 2021CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105,

Action Required: In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046, patches for all supported runtime versions were made available to customers on December 23, 2021 at 5:30 PM PST.

For information about how to patch your Mule 3.x and 4.x applications, refer to the relevant section below.

CVSS Score

[updated on 18-Dec-2021]

CVE-2021-44228
Base CVSS Score is: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Severity is Critical.

CVE-2021-45046
Base CVSS Score is: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) Severity is Critical.

CVE-2021-45105
Base CVSS Score is: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Severity is High.

Please see supporting documentation from Apache: https://logging.apache.org/log4j/2.x/security.html

User Impact

Per Log4j’s docs

CVE-2021-44228 - Log4j’s JNDI support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
CVE-2021-45046 - The Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations
CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

Resolution

Depending on where your application is deployed, please refer to the respective sections below to address the security issues identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. If you are in a non-supported version, it is necessary to update to a supported version (version in Standard or Extended Support).

Standalone Mule Runtime (on-premise)

Mule Runtime 4.x

In order to address the security issues identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 for Mule 4 Runtimes running On Premise or being managed by customers, please follow the instructions in one of these options:

Option 1: If you use Mule Runtime 4.3.0 and 4.4.0. download and install the March monthly patch update for your respective Mule 4.3.0 / 4.4.0 version.
By using version 2.17.1, this patch update will include all necessary Log4J library remediations.
Monthly patches (Files starting with mule-ee-patch-4.1-*.zip) can be downloaded from the help center download page. The README.TXT in the zip file will contain installation steps.

Mule 4.4.0 and 4.3.0 latest monthly patch reference table:

Mule Runtime version	Mule Distribution Cummulative Patch
4.3.0	mule-ee-patch-4.3.0-20220221-MARCH-2022.zip
4.4.0	mule-ee-patch-4.4.0-20220221-MARCH-2022.zip

Option 2: If you cannot install the March monthly patch update, you can manually mitigate the CVEs previously mentioned in this section by following these instructions:
Step 1 of 6: Stop your Mule 4.x Runtime.
Step 2 of 6: Download the Log4j version 2.17.1 libraries from the Apache Website.
Step 3 of 6: Remove the following jar files

${MULE_HOME}/lib/boot/log4j-1.2-api-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-api-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-core-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-slf4j-impl-2.x.x.jar

If you use Mule Runtime 4.3.0 and 4.4.0 (for which there is no cumulative patches required), remove the following jar files

${MULE_HOME}/services/mule-service-weave-ee-2.x.x/lib/log4j-api-2.x.x.jar
${MULE_HOME}/services/mule-service-weave-ee-2.x.x/lib/log4j-core-2.x.x.jar

Step 4 of 6: Copy the respective libraries from the downloaded 2.17 version

apache-log4j-2.17.1-bin/log4j-1.2-api-2.17.1.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.17.1-bin/log4j-api-2.17.1.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.17.1-bin/log4j-core-2.17.1.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.17.1-bin/log4j-slf4j-impl-2.17.1.jar to ${MULE_HOME}/lib/boot

If you use Mule Runtime 4.3.0 and 4.4.0 (for which there is no cumulative patches required), copy the respective libraries from the downloaded 2.17.1 version:

Copy apache-log4j-2.17.1-bin/log4j-api-2.17.1.jar to ${MULE_HOME}/services/mule-service-weave-ee-2.x.x/lib/
Copy apache-log4j-2.17.1-bin/log4j-core-2.17.1.jar to ${MULE_HOME}/services/mule-service-weave-ee-2.x.x/lib/

Step 5 of 6: Depending on the Mule 4.x version you are using, you may need to apply an individual or cumulative patch for the specific Mule 4.x version :

For 4.1.1 and 4.1.2
1. Remove if the patch MULE-15169 is installed in {MULE_HOME}/lib/patches
2. Install patch EE-8188-4.1.3-4.1.1-1.1.jar in {MULE_HOME}/lib/patches
3. Add caffeine-2.6.2.jar to {MULE_HOME}/lib/opt
For 4.1.3
1. Install patch EE-8188-4.1.3-4.1.1-1.1.jar in {MULE_HOME}/lib/patches
2. Add caffeine-2.6.2.jar to {MULE_HOME}/lib/opt
For 4.1.4
1. Install patch EE-8188-4.1.4-1.1.jar in {MULE_HOME}/lib/patches

Use the table below as a reference to determine if you need to apply an individual or cumulative patch. If you are using Mule 4.3.0 or 4.4.0, you will not need to apply any additional patches.

If you need to apply the individual or cumulative patch, you can follow these instructions (How to apply patches to Mule 4.x) on where and how to copy the patch file accessible via the links in the table below.

Step 6 of 6: Once the Log4j and individual/cumulative patch (if needed) has been copied, you can restart your Mule 4.x Runtime.

Mule 4.x individual or cumulative patch reference table

Note: For cumulative patches (Files starting with mule-ee-patch-4.1-*.zip, Please download from the Help center download page)

Mule Runtime Version	log4j patch
4.1.1, 4.1.2, 4.1.3	EE-8188-4.1.3-4.1.1-1.1.jar Checksum SHA256: fa8f2cecdfd2c5c0320813a7440f5132a1fd1941daa67368544ed7e7ed18e100
4.1.4	EE-8188-4.1.4-1.1.jar Checksum SHA256: 6e6b6da4e611953c01a4205f1342bb6e981374731d985c6bc2a6d738c0f83160
4.1.5	mule-ee-patch-4.1.5-20220221-MARCH-2022.zip
4.1.6	mule-ee-patch-4.1.6-20220221-MARCH-2022.zip
4.2.0	mule-ee-patch-4.2.0-20220221-MARCH-2022.zip
4.2.1	mule-ee-patch-4.2.1-20220221-MARCH-2022.zip
4.2.2	mule-ee-patch-4.2.2-20220221-MARCH-2022.zip
4.3.0	No additional patch required
4.4.0	No additional patch required

Mule Runtime 3.x

In order to address the security issues identified in CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 for Mule 3 Runtimes running On-Premise or being managed by customers,
please follow the instructions in one of these options:

Option 1: If you use Mule Runtime 3.9.5 download and install the March monthly patch update. By using version 2.12.4, this patch update will include all necessary Log4J library remediations.
Monthly patch (File starting with mule-ee-patch-3.9-5*.zip) can be downloaded from the help center download page. The README.TXT in the zip file will contain installation steps.

Mule 3.9.5 March monthly patch reference table:

Mule Runtime version	Mule Distribution Cummulative Patch
3.9.5	mule-ee-patch-3.9.5-20220222-march-2022.zip

Option 2: If you cannot install the March monthly patch update, you can manually mitigate the CVEs previously mentioned in this section by following these instructions:

Step 1 of 7: Stop your Mule 3.x Runtime.
Step 2 of 7: Download the Log4j version 2.12.4 libraries from the Apache Website.
Step 3 of 7: Remove the following jar files from the ${MULE_HOME}/lib/boot folder:

${MULE_HOME}/lib/boot/log4j-1.2-api-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-api-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-core-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-slf4j-impl-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-jcl-2.x.x.jar
${MULE_HOME}/lib/boot/log4j-jul-2.x.x.jar

Step 4 of 7: Copy the respective libraries from the downloaded 2.12.4 version into the ${MULE_HOME}/lib/boot folder:

apache-log4j-2.12.4-bin/log4j-1.2-api-2.12.4.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.12.4-bin/log4j-api-2.12.4.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.12.4-bin/log4j-core-2.12.4.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.12.4-bin/log4j-slf4j-impl-2.12.4.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.12.4-bin/log4j-jcl-2.12.4.jar to ${MULE_HOME}/lib/boot
apache-log4j-2.12.4-bin/log4j-jul-2.12.4.jar to ${MULE_HOME}/lib/boot

Step 5 of 7: Depending on the Mule 3.x version you are using, you may need to apply an individual or cumulative patch for the specific Mule 3.x version:

For 3.8.0 - 3.8.7

Install the patch EE-8195-3.8.7-3.8.0/1.1/EE-8195-3.8.7-3.8.0-1.1.jar in {MULE_HOME}/lib/user.
Remove the file disruptor-x.y.z.jar from /lib/boot.
Copy the downloaded disruptor-3.4.2.jar file in lib/boot

For 3.9.0 - 3.9.4

Install the patch EE-8195-3.9.0-3.9.5-3.0.jar in {MULE_HOME}/lib/user. (A revised patch "EE-8195-3.9.0-3.9.5-3.0.jar" was released on 30-Dec-2021 to address an issue that only happens when a reconfiguration of the log4j context is called by custom code from an app)
Remove the file disruptor-x.y.z.jar from /lib/boot.
Copy the downloaded disruptor-3.4.2.jar file in lib/boot

For 3.9.5

Install the cumulative patch referenced in the table below.

Use the “Mule 3.x individual or cumulative patch reference table” below as a reference to determine if you need and which individual or cumulative patch to install.

Step 6 of 7: Depending on the Mule 3.x version you are using, you may need to apply a Dataweave patch:

For 3.8.5

Download the mule-plugin-weave-3.8.5-20220125-dist.zip file
Inside the MULE_HOME/plugins folder, delete any existing mule-plugin-weave-*-dist.zip file or mule-plugin-weave-3.x.x-dist folder. Alternatively, you may also move this file to a temp file. Then, copy/paste the mule-plugin-weave-3.8.5-20220125-dist.zip file included in this patch. Do not unzip the file.

For 3.9.3

Download the mule-plugin-weave-3.9.3-20220125-dist.zip file
Inside the MULE_HOME/plugins folder, delete any existing mule-plugin-weave-*-dist.zip file or mule-plugin-weave-3.x.x-dist folder. Alternatively, you may also move this file to a temp file. Then, copy/paste the mule-plugin-weave-3.9.3-20220125-dist.zip file included in this patch. Do not unzip the file.

For 3.9.4

Download the mule-plugin-weave-3.9.4-20220125-dist.zip file
Inside the MULE_HOME/plugins folder, delete any existing mule-plugin-weave-*-dist.zip file or mule-plugin-weave-3.x.x-dist folder. Alternatively, you may also move this file to a temp file. Then, copy/paste the mule-plugin-weave-3.9.4-20220125-dist.zip file included in this patch. Do not unzip the file.

Use the “Mule 3.x Dataweave plugin patch reference table” below as a reference to determine the dataweave plugin file download from Help center download page

Step 7 of 7: Once the Log4j, individual/cumulative patch (if needed), Dataweave (if needed) has been copied, you can restart your Mule 3.x Runtime.

Mule 3.x individual or cumulative patch reference table

Mule Runtime Version	Patch
3.8.0 to 3.8.7	EE-8195-3.8.7-3.8.0-1.1.jar checksum SHA256: d353ec26080cb9f9c74891396acb7dc2c3d7d67c569889136b1e9f7c6bf3a64e
3.9.0 to 3.9.4	EE-8195-3.9.0-3.9.5-3.0.jar checksum SHA256:600b04ca0776bf8dd54751cda27b22ecdc3daa21b94521fd0814eac9f76e723d
3.9.5	Download mule-ee-patch-3.9.5-20220222-MARCH-2022.zip from Help center download page

Mule 3.x Dataweave plugin patch reference table

Mule Runtime Version	Patch
3.8.5	Download mule-plugin-weave-3.8.5-20220125-dist.zip from Help center download page
3.9.3	Download mule-plugin-weave-3.9.3-20220125-dist.zip from Help center download page
3.9.4	Download mule-plugin-weave-3.9.4-20220125-dist.zip from Help center download page

Mule Agent for Mule Runtime (3.x and 4.x)

Remediating the Mule Runtime Standalone as described above or Runtime Fabric Mule Runtime as described below will address the security issues currently identified in CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046, . Make sure the Mule Runtime is mitigated appropriately.
MuleSoft released the below updates to Mule Agent in order to update to the latest log4j libraries.(binaries can be downloaded from Help Center downloads page)

For Mule 3.x Runtimes - Mule Agent 1.15.10 released with log4j version 2.12.4
For Mule 4.x Runtimes - Mule Agent 2.4.27 released with log4j version 2.17.1

Notes:

Customers upgrading to the latest version of Mule Agent must review this article.
After updating the Mule Agent version, the older versions of agent-setup-2.x.x-amc-final.jar could be deleted from {MULE_HOME}/tools directory manually. For example, agent-setup-2.4.10-amc-final.jar and agent-setup-2.4.26-amc-final.jar could be deleted after updating to agent-setup-2.4.27-amc-final.jar(contains fix to log4j2 vulnerability)

$ tools % ls -ll
total 566216
-rw-r--r--@ 1 mule  wheel  74132526 Oct  7  2020 agent-setup-2.4.10-amc-final.jar
-rwx------@ 1 mule  wheel  80132775 Dec 21  2021 agent-setup-2.4.26-amc-final.jar
-rw-r--r--@ 1 mule  wheel  79586045 May 31 09:35 agent-setup-2.4.27-amc-final.jar

Runtime Fabric (RTF)

Runtime Fabric appliances are not impacted which includes Gravity components and Runtime Fabric components. Customers still need to follow up on application remediations by updating to the latest runtimes
Self-managed Runtime Fabric - We analyzed the component/software component shipped, and there is no mitigation/fix needed as log4j is not used. Customers still need to follow up on application remediations by updating to the latest runtimes

Mule Runtime (4.x and 3.x)

Patch release for all supported runtime versions to fix CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 was made available to customers on December 24, 2021, for all Mule 3.x and Mule 4.x versions was made available to customers on December 24, 2021, for all Mule 3.x and Mule 4.x versions
In order to mitigate the security issues currently identified in CVE-2021-44228, CVE-2021-45105, and CVE-2021-45046, you must apply the latest patch release. Please refer to Mule Runtime Patch Updates for Runtime Fabric for instructions on updating your runtime patch release.

Below are the runtime patch release tags that include the fix:

4.4.0:20211221-1
4.3.0:20211221-1
4.2.2:20211222-1
4.2.1:20211222-1
4.2.0:20211222-1
4.1.6:20211222-1
4.1.5:20211222-1
4.1.4:20211222-1
4.1.3:20211222-1
4.1.2:20211222-1
3.9.5:20211223-1
3.9.4:20211223-1
3.9.3:20211223-1
3.9.2:20211223-1
3.9.1:20211223-1
3.8.7:20211223-1

Notes: We have already included the fix for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 for release tags greater than the versions listed above.

CloudHub

In order to address the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, the latest patches for all supported Mule runtime versions were made available on March 8, 2022.

Customers must apply the latest patch release published on March 8, 2022. This step is also recommended for customers who patched their runtime in Cloudhub prior to March 8, 2022.

CloudHub applications will be patched according to the revised schedule for monthly updates below:

Sandbox Applications - Between March 21, 2022 and March 25, 2022.
Production Applications - Between March 26, 2022 and March 27, 2022.

To voluntarily update your runtime with the additional fix before your application is force restarted, please update your runtime release.

Dedicated Load Balancer:
Remediation for Dedicated Load Balancer completed on 12/21/2021, No customer action required.

Anypoint Studio

Studio 7.x

In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, a new patch release of Anypoint Studio (version 7.11.1) has been made available on January 6, 2022, at 5 PM PST.

This issue requires your immediate attention. You must download from Help center download page and use the latest Studio version 7.11.1 in order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. In addition, we strongly suggest that you remove older versions of Studio 7.x from your desktop and do a full fresh reinstall (uninstall and install Studio 7.11.1 again - this may help eliminate older version Log4J files no longer in use). Studio Update site for all Mule Runtime 4.x is updated with the latest fix.

Studio 6.x

In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, a new patch release of Anypoint Studio (version 6.6.9) was made available on January 10, 2022, at 5 PM PST.
This issue requires your immediate attention. You must download and use the latest Studio version 7.11.1 in order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. In addition, you must remove older versions of Studio 6.x from your desktop and perform a full fresh reinstall in order to help eliminate older version Log4J files no longer in use. If you use Mule 3.9.x with Studio 6.6.9, there is no action to take at this time. If you use Studio 6.6.9 with Mule 3.8.x, then you must follow the instructions outlined in the “Runtime in Studio 6.x” section below.

Mule Runtime in Studio

Runtimes in Studio 6.x

You must follow the mitigation instructions described in the “Studio6.x” section in order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. If you are using Mule Runtime 3.9.x, you must manually mitigate the installed Mule Runtime 3.8.x by following the steps below (these steps are not needed if you are using Mule 3.9.x):

When running an application inside Studio 6.x (ie: application started from Studio) you will need to perform the following steps for each of the installed Mule Runtimes. Please do not update Mule Runtimes via Update Site after applying this remediation:

Step 1 of 5: Stop Studio 6.x (this is primarily important when running Studio on Windows).
Step 2 of 5: Identify the directory within the Studio installation directory where your Mule Runtimes are installed.
The directory pattern should be something like this:
{STUDIO_HOME}/plugins/org.mule.tooling.server.{MULE_VERSION}.ee_n.n.n.nnnnnnnnnnnn

For example: org.mule.tooling.server.3.8.3.ee_6.2.2.201701201826 where:
STUDIO_HOME = is the installation directory for Studio 6.x.
MULE_VERSION = is the Mule Runtime version installed within Studio 6.x. For example: 3.8.3.
n.n.n.nnnnnnnnnnnn = is the release tag. If there is more than one directory at the release tag level, you will likely be using the greatest one. Make sure to update all subfolders by following the steps below.

Step 3 of 5: Find the {MULE_HOME} subdirectory by adding /mule to the directory found in the previous step.
For example:

{MULE_HOME} = {STUDIO_HOME}/plugins/org.mule.tooling.server.org.mule.tooling.server.3.8.3.ee_6.2.2.201701201826/mule

Step 4 of 5: Refer to the “Standalone Mule Runtime (on-premise) > > Mule Runtime 3.x” section for instructions to replace the log4j jars and apply the required individual or cumulative patch.
Step 5 of 5: Restart Studio 6.x after performing these manual steps for each one of the Mule Runtimes within Studio 6.x.

Runtimes in Studio 7.x

You must follow the mitigation instructions described in the “Studio 7.x” section. Studio Update site for all Mule Runtime 4.x is updated with the latest fix.

Munit

Mitigation instructions for MUnit when tests are run from Studio 7.x:
MUnit tests that are launched and triggered inside Studio 7.x are not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 as long as they are running in Studio version 7.11.1.

A patched MUnit runtime distribution for Mule Runtime 4.x is available in the March 8, 2022 release. Please follow the instructions in the article to use the patched MUnit runtime while executing the tests.

Mule 4.x MUnit runtime distribution id reference table

Mule Runtime Version	Munit runtime distribution id with log4j patch
4.1.5	4.1.5-20220221
4.1.6	4.1.6-20220221
4.2.0	4.2.0-20220221
4.2.1	4.2.1-20220221
4.2.2	4.2.2-20220221
4.3.0	4.3.0-20220221
4.4.0	4.4.0-20220221

Mitigation instructions for MUnit when tests are run from Studio 6.x:
MUnit tests that are launched and triggered inside Studio 6.x are not affected by the security issues identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 as long as they are running in Studio version 6.6.9.

Mitigation instructions for MUnit, when running standalone (e.g. CI/CD):

In order to address the security issues currently identified in CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, a new patch release of MUnit has been made available on January 10, 2022, at 5 PM PST.

For Mule 3.x Runtimes - MUnit version 1.3.15 released with log4j version 2.12.3
For Mule 4.x Runtimes - MUnit version 2.3.7 released with log4j version 2.17
- A patched MUnit runtime distribution for Mule Runtime 4.x is available in the March 8, 2022 release. Please follow the instructions in the article to use the patched MUnit runtime while executing the tests.Refer "Mule 4.x MUnit runtime distribution id reference table" above section for the id of the fix release.

APIKit

The APIKit framework is being used both for Design time and Runtime.
When APIKit is used for Design time within Studio, as long as Studio is properly remediated as indicated in the Studio 6.x and Studio 7.x above, APIKit will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
When APIKit is used for Runtime (included as a dependency in API Mule Applications), as long as the Mule Runtime environment has been properly remediated as indicated in the “Standalone Mule Runtime (on-premise)”, “Runtime Fabric (RTF)” and “CloudHub”, the APIKit will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

DataWeave

The DataWeave framework is being used both for Design time and Runtime.
When DataWeave is used for Design time within Studio, as long as Studio is properly remediated as indicated in the “Studio 6.x” and “Studio 7.x” above, DataWeave will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
When DataWeave is used for Runtime, as long as the Mule Runtime environment has been properly remediated as indicated in the “Standalone Mule Runtime (on-premise)”, “Runtime Fabric (RTF)” and “CloudHub”, DataWeave will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Devkit

For devkit and devkit-parent release 3.9.15 which is bundled with Log4J 2.12.4 has been added to the repository.

Mule Connectors

Anypoint Connectors that are created and publicly offered by MuleSoft via Anypoint Exchange, and are used within Mule Applications deployed in any of the Mule Runtime deployment options described above, will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 as long as they are properly remediated as indicated in the “Standalone Mule Runtime (on-premise)”, “Runtime Fabric (RTF)” and “CloudHub” sections above.
Connectors that are created using SDK / Devkit with Log4j dependencies will not be affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. , provided that the Runtime is properly remediated as indicated in the “Standalone Mule Runtime (on-premise)”, “Runtime Fabric (RTF)” and “CloudHub” sections above.

MuleSoft released the below updates to MuleSoft Connectors, not including a vulnerable version of Log4j libraries. In order to ensure that CI/CD builds and Mule applications do not contain old versions of Log4j, customers must update to the versions of the respective Connectors below.

Updated Mule Runtime 3.x connectors:

Connector Name	Updated version
sap-connector	3.2.6
edifact-connector	1.3.8
hl7-connector	3.1.7
x12-connector	1.4.4
tradacoms-connector	1.0.5
mule3-rosettanet-connector	1.1.3
hl7-mllp-connector	3.1.7
as2-connector	3.0.7
microsoft-sharepoint-online-connector	1.0.5
salesforce-connector	8.11.3
apikit	3.9.5-20211223

Updated Mule Runtime 4.x connectors:

Connector Name	Updated version
amazon-kinesis-data-streams-connector	1.0.10
confluent-schema-registry-connector	1.0.7
google-pubsub-connector	1.0.2
asana-connector	1.0.4
docusign-connector	1.0.3
quickbooks-online-connector	2.0.3
smartsheet-connector	1.2.3
xero-connector	1.0.8
zuora-connector	6.0.5
zuora-aqua-connector	1.0.7
snowflake-connector	1.1.0
edifact-connector	2.5.2
hl7-connector	4.2.7
x12-connector	2.7.3
tradacoms-connector	2.0.4
rosettanet-connector	2.0.19
azure-cosmos-db-connector	1.0.1
outlook365-connector	1.0.2
gmail-connector	1.0.3
google-calendar-connector	1.1.3
intercom-connector	1.0.3
mailchimp-marketing-connector	1.0.2
powerbi-connector	1.0.3
shopify-connector	1.1.2
slack-connector	1.0.9
twilio-connector	4.2.4
workday-connector	14.1.1
zoom-connector	1.0.3
amazon-lambda-connector	1.0.4
jira-connector	1.1.8
box-connector	5.1.5
dropbox-business-connector	1.0.3
google-drive-connector	1.0.1
apikit-rest-module	1.3.13

Mule Maven Plugin (MMP)

The Mule Maven Plugin does not use Log4j v2. As such, it is not affected by the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Maven repositories

MuleSoft will continue to monitor, identify, and remove old log4j libraries (Log4j version < 2.12.4 for Mule 3.x-related components and Log4j version < 2.17.1) from its Maven repository as a part of remediation efforts for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. While using older versions of Maven Plugin, Munit Plugin, Connectors, or other dependencies, customers may experience Maven build errors.
To address this, please review the “Remediation” sections in this article and update to the recommended version of components and dependencies.

Private Cloud Edition (PCE)

PCE Control plane
A new release of Hotfix was published on March 8, 2022, with the updated third-party library in multiple services to include log4j dependency version 2.17.1. The new release is available for PCE versions 1.7.x, 2.0.x, 2.1.x, 3.0.0, 3.0.1, 3.0.2. In order to address the security issues identified in CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, customers must apply the Hotfix published on March 8, 2022. This step is also recommended for customers who applied a Hotfix released prior to March 14, 2022.

Previously a Hotfix for PCE versions 2.1.1, 2.1.2, 3.0.0, and 3.1.1 on December 23, 2021, version 2.1.0 on December 29, 2021, version 1.7.x on January 3, 2022, and version 2.0.x on January 4, 2022.
For more information, please refer to the knowledge article, Apache Log4j2 vulnerability - December 2021 - Private Cloud Edition Remediation.

Runtimes paired with PCE:
Follow the same procedure provided in the "Standalone Mule Runtime (on-premise)" section for patching runtimes that are paired with PCE.

Pivotal Cloud Foundry (PCF)

For PCF patches, please create a case with MuleSoft Support.

Mule Runtime Engine Clusters

Each Mule runtime engine in a cluster must be patched separately. Follow the same procedure as for Standalone Mule Runtime.

Mule Applications bundling Log4J

Best practices suggest against adding Log4j2 as a dependency in your Mule Application pom.xml and recommend that customers leverage the Log4J libraries shipped with the Mule Runtime. Even when a non-remediated Log4J dependency is manually added to the Mule Application, based on classloading order, only the dependency bundled with the Mule Runtime will be leveraged. This means that if the Mule Runtime is properly mitigated as described in the sections “Standalone Mule Runtime (on-premise)”, “Runtime Fabric (RTF)” and “CloudHub”, the vulnerability cannot be exploited.

Dataloader.io

A fix was applied on December 14, 2021 for CVE-2021-45046 and CVE-2021-44228 vulnerabilities. A fix for CVE-2021-45105 was applied on December 25, 2021. No action is required from customers.

Anypoint Gateway for windows

Anypoint Gateway for Windows is not affected by the security issues identified in CVE-2021-44228 and CVE-2021-45046. No action is required from customers.

Additional Help

If you need further assistance, create a case with MuleSoft Support.