[SECURITY] Switch XStream to Use an allowlist Instead of a denylist

[jdonextgen]

Describe the security issue Mirth Connect uses the XStream library to serialize and deserialize objects. It is a potential security risk to allow unexpected object types to be processed through XStream. Therefore we are now being more restrictive about what types are allowed by using an allowlist instead of a denylist. The only types allowed are those that are strictly necessary for Mirth Connect to operate.

Vulnerability Location This vulnerability exists in the XStream library or how we use the XStream library.

Environment (please complete the following information if it is applicable to the issue)

• OS: [e.g. Linux (CentOS), Windows 10, MacOS]: All
• Java Distribution/Version [e.g. OpenJDK 11, Java 8 (201)]: n/a
• Connect Version [e.g. 3.8.0]: 4.4.0

Suggested remediation Switch to using an allowlist which would make the accepted types more restrictive.

Additional context n/a

[jdonextgen]

Fix has been committed and will be available in Mirth Connect 4.4.1

[todb-cisa]

This version appears to fix CVE-2023-43208, implied rather strongly by this blog post Is this accurate?