Overview
- vstakhov
- libucl
Description
Statistics
- 1 Post
Fediverse

🔎 MEDIUM severity: Heap-based buffer overflow in vstakhov libucl (≤0.9.2). Local access required, public exploit disclosed. Audit usage, restrict privileges, monitor for crashes. CVE-2025-6499 https://radar.offseq.com/threat/cve-2025-6499-heap-based-buffer-overflow-in-vstakh-e5ab10c5 #OffSeq #Vuln #libucl #InfoSec
Overview
- pypa
- pypa/setuptools
Description
Statistics
- 1 Post
Fediverse

🚨 New HIGH CVE detected in AWS Lambda 🚨
CVE-2024-6345 impacts setuptools in 3 Lambda base images.
Details: https://github.com/aws/aws-lambda-base-images/issues/288
More: https://lambdawatchdog.com/
Overview
- Sitecore
- Experience Manager
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.
🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.
Within hours, CrowdSec’s network detected active exploitation in the wild.
⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).
🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.
📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.
🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: https://doc.crowdsec.net/docs/next/appsec/intro
📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 http://crowdsec.net
#CyberSecurity #Infosec #ThreatIntel #RCE #Sitecore #CrowdSec #CVE
Overview
- Sitecore
- Powershell Extension
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.
🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.
Within hours, CrowdSec’s network detected active exploitation in the wild.
⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).
🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.
📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.
🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: https://doc.crowdsec.net/docs/next/appsec/intro
📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 http://crowdsec.net
#CyberSecurity #Infosec #ThreatIntel #RCE #Sitecore #CrowdSec #CVE
Overview
- Sitecore
- Experience Manager
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse

🚨 New Exploits Targeting Sitecore Experience Platform (XP)
Another wake-up call: Monitoring disclosed CVEs isn't enough anymore.
🔍 Last week, WatchTowr Labs dropped a detailed analysis of a pre-auth RCE chain in Sitecore XP – and it didn’t take long for attackers to move.
Within hours, CrowdSec’s network detected active exploitation in the wild.
⚠️ Key findings:
🔹 The Vulnerability-to-Exploit Window Is Critical: Attacks now outpace CVE assignments, leaving organizations exposed during the disclosure gap. This was demonstrated when, within hours of WatchTowr’s public analysis, CrowdSec’s threat network detected three distinct IPs actively scanning and exploiting vulnerable Sitecore XP instances.
🔹 Official CVE Designation a Few Hours After WatchTowr’s Article: The flaw is now formally tracked as CVE-2025-34509, CVE-2025-34510, and CVE-2025-34511 (listed on NVD).
🛠️ About the exploit:
The vulnerability chain enables unauthenticated remote code execution (RCE) through Sitecore’s publishing service, allowing attackers to compromise the entire CMS without requiring credentials. Successful exploitation could lead to data theft, malware deployment, or lateral movement within affected systems.
📈 Trend analysis:
🗓️ June 17: WatchTowr publishes the article.
⏱️ Hours later: CrowdSec’s decentralized threat network detected exploitation attempts from 104.248.137.152.
📍 Following days:
Two more IPs (130.33.178.14, 217.156.122.239) launched aggressive scans, with 130.33.178.14 alone responsible for 50+ attacks over the weekend.
🛡️ How to protect your systems:
🔹 Investigate: If your organization uses Sitecore XP, check your logs for these IPs: 130.33.178.14, 217.156.122.239, 104.248.137.152.
🔹 Patch: Do the necessary to patch your Sitecore XP CMS system.
🔹 Stay proactive: Gain additional protection by installing the Crowdsec Web Application Firewall to stay ahead of exploit attempts with 100+ virtual patching rules available: https://doc.crowdsec.net/docs/next/appsec/intro
📣 Real-time threat intelligence is not optional. Let’s stay ahead of these threats together 👉 http://crowdsec.net
#CyberSecurity #Infosec #ThreatIntel #RCE #Sitecore #CrowdSec #CVE
Overview
- corydolphin
- corydolphin/flask-cors
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.
NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc
in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup
and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.
- ✨ Features and enhancements
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
- For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
- This is an optional feature. RBAC is only available when the authentication method is
keycloak
orkeycloak_remote
. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges. - Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
- See the role-based access control documentation for more information on this feature.
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in
./config/keycloak.env
. - Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
- This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
- Expose init arguments for Arkime's
db.pl
and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692) - Extend Zeek's
intel.log
with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
intel.log
to the user. Further work to do so will be continued in cisagov/Malcolm#695.
- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
- Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
- Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new
sec_token_id
field (cisagov/icsnpp-opcua-binary#101) - Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (
kafka.zeek
) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap. - Changed some internal objects used for NetBox enrichment caching from Ruby's
Concurrent::Hash
toConcurrent::Map
for better performance - Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
- NGINX now generates a
robots.txt
file to avoid web crawlers
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- ✅ Component version updates
- Alpine base Docker image to v3.22.0
- Arkime to v5.7.0
- capa to v9.2.1
- flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
- OpenSearch and OpenSearch Dashboards to v3.0.0
- opensearch-py Python library to v3.0.0
- osd_transform_vis Dashboards visualization library to v3.0.0
- requests Python library to v2.32.4 to address CVE-2024-47081
- YARA to v4.5.3
- Zeek to v7.2.1
- 🐛 Bug fixes
- NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
- documentation served at
/readme
is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694) - support fractional gigabytes correctly when generating Arkime's
config.ini
settingmaxFileSizeG
fromPCAP_ROTATE_MEGABYTES
- Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
- 🧹 Code and project maintenance
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh
) and PowerShell 🪟 (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov
Overview
- corydolphin
- corydolphin/flask-cors
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.
NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc
in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup
and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.
- ✨ Features and enhancements
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
- For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
- This is an optional feature. RBAC is only available when the authentication method is
keycloak
orkeycloak_remote
. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges. - Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
- See the role-based access control documentation for more information on this feature.
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in
./config/keycloak.env
. - Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
- This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
- Expose init arguments for Arkime's
db.pl
and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692) - Extend Zeek's
intel.log
with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
intel.log
to the user. Further work to do so will be continued in cisagov/Malcolm#695.
- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
- Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
- Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new
sec_token_id
field (cisagov/icsnpp-opcua-binary#101) - Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (
kafka.zeek
) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap. - Changed some internal objects used for NetBox enrichment caching from Ruby's
Concurrent::Hash
toConcurrent::Map
for better performance - Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
- NGINX now generates a
robots.txt
file to avoid web crawlers
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- ✅ Component version updates
- Alpine base Docker image to v3.22.0
- Arkime to v5.7.0
- capa to v9.2.1
- flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
- OpenSearch and OpenSearch Dashboards to v3.0.0
- opensearch-py Python library to v3.0.0
- osd_transform_vis Dashboards visualization library to v3.0.0
- requests Python library to v2.32.4 to address CVE-2024-47081
- YARA to v4.5.3
- Zeek to v7.2.1
- 🐛 Bug fixes
- NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
- documentation served at
/readme
is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694) - support fractional gigabytes correctly when generating Arkime's
config.ini
settingmaxFileSizeG
fromPCAP_ROTATE_MEGABYTES
- Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
- 🧹 Code and project maintenance
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh
) and PowerShell 🪟 (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov
Overview
- corydolphin
- corydolphin/flask-cors
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.
NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc
in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup
and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.
- ✨ Features and enhancements
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
- For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
- This is an optional feature. RBAC is only available when the authentication method is
keycloak
orkeycloak_remote
. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges. - Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
- See the role-based access control documentation for more information on this feature.
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in
./config/keycloak.env
. - Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
- This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
- Expose init arguments for Arkime's
db.pl
and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692) - Extend Zeek's
intel.log
with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
intel.log
to the user. Further work to do so will be continued in cisagov/Malcolm#695.
- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
- Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
- Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new
sec_token_id
field (cisagov/icsnpp-opcua-binary#101) - Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (
kafka.zeek
) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap. - Changed some internal objects used for NetBox enrichment caching from Ruby's
Concurrent::Hash
toConcurrent::Map
for better performance - Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
- NGINX now generates a
robots.txt
file to avoid web crawlers
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- ✅ Component version updates
- Alpine base Docker image to v3.22.0
- Arkime to v5.7.0
- capa to v9.2.1
- flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
- OpenSearch and OpenSearch Dashboards to v3.0.0
- opensearch-py Python library to v3.0.0
- osd_transform_vis Dashboards visualization library to v3.0.0
- requests Python library to v2.32.4 to address CVE-2024-47081
- YARA to v4.5.3
- Zeek to v7.2.1
- 🐛 Bug fixes
- NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
- documentation served at
/readme
is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694) - support fractional gigabytes correctly when generating Arkime's
config.ini
settingmaxFileSizeG
fromPCAP_ROTATE_MEGABYTES
- Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
- 🧹 Code and project maintenance
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh
) and PowerShell 🪟 (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov
Overview
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.
NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc
in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup
and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.
- ✨ Features and enhancements
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
- For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
- This is an optional feature. RBAC is only available when the authentication method is
keycloak
orkeycloak_remote
. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges. - Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
- See the role-based access control documentation for more information on this feature.
- Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
- Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in
./config/keycloak.env
. - Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
- This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
- Expose init arguments for Arkime's
db.pl
and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692) - Extend Zeek's
intel.log
with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
intel.log
to the user. Further work to do so will be continued in cisagov/Malcolm#695.
- This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents
- Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
- Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new
sec_token_id
field (cisagov/icsnpp-opcua-binary#101) - Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (
kafka.zeek
) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap. - Changed some internal objects used for NetBox enrichment caching from Ruby's
Concurrent::Hash
toConcurrent::Map
for better performance - Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
- NGINX now generates a
robots.txt
file to avoid web crawlers
- This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
- ✅ Component version updates
- Alpine base Docker image to v3.22.0
- Arkime to v5.7.0
- capa to v9.2.1
- flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
- OpenSearch and OpenSearch Dashboards to v3.0.0
- opensearch-py Python library to v3.0.0
- osd_transform_vis Dashboards visualization library to v3.0.0
- requests Python library to v2.32.4 to address CVE-2024-47081
- YARA to v4.5.3
- Zeek to v7.2.1
- 🐛 Bug fixes
- NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
- documentation served at
/readme
is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694) - support fractional gigabytes correctly when generating Arkime's
config.ini
settingmaxFileSizeG
fromPCAP_ROTATE_MEGABYTES
- Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
- 🧹 Code and project maintenance
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh
) and PowerShell 🪟 (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov