Malcolm v26.06.1

Malcolm v26.06.1 addresses a high severity RCE vulnerability (GHSA-8cvp-m7pg-qrp7) allowing unrestricted PHP file upload and ships security-fixing updates across Arkime, OpenResty, Valkey, and PostgreSQL. Many other component versions have also been bumped. Six Zeek log parsing bugs are fixed — all related to JSON mode (ZEEK_JSON=true) and affecting DHCP, Redis, ROC+, and WebSocket log types — along with a suricata disable.conf append-on-restart regression, updated MaxMind GeoLite MMDB download logic, and an OpenSearch indexing error from oversized file.strings values.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

v26.06.0...v26.06.1

• 🛡️ Security Remediation & Hardening
  • Fix RCE via unrestricted .php upload to the file-upload component (GHSA-8cvp-m7pg-qrp7, thanks Jan Kahmen, turingpoint (@kah-ja, jan@turingpoint.de)
  • Removed php-curl from htadmin container (as it's unused) to reduce attack surface
  • Updates to Arkime, OpenResty, Valkey, and PostgreSQL all contain significant security fixes (see Component version updates below)
• 🐛 Bug fixes
  • ./scripts/start not returning to command line after containers have started #1025
  • Zeek DHCP logs are parsed incorrectly with ZEEK_JSON=true #1018
  • Zeek Redis logs' reply field not parsed correctly when ZEEK_JSON=true #1019
  • suricata disable.conf gets appended to every time container restarts #1022
  • Zeek roc_plus logs can be parsed incorrectly in Logstash when ZEEK_JSON=true #1021
  • Zeek websocket logs can be parsed incorrectly in Logstash when ZEEK_JSON=true #1020
  • fix downloading MaxMind MMDB files (URL and authentication method changed slightly); see also Secrets and variables in the documentation
  • cap file.strings length at 16k to avoid errors inserting into OpenSearch with very, very long values
• ✅ Component version updates
  • Arkime to v6.5.0
  • evtx to v0.12.2
  • Fluent Bit to v5.0.7
  • Keycloak to v26.6.3
  • OpenResty to v1.31.1.1
  • OpenSearch and OpenSearch Dashboards to v3.7.0
  • PostgreSQL to v18.4
  • Strelka caught up to target/strelka@main upstream
  • valkey to v8.1.8
  • yq to v4.53.3
• 🧹 Code and project maintenance
  • A few documentation updates
  • added tag_on_exception to all ruby Logstash filters to make debugging easier
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • MAXMIND_GEOIP_DB_ACCOUNT_ID is now required alongside MAXMIND_GEOIP_DB_LICENSE_KEY in ./config/arkime-secret.env for downloading MMDB files during build and runtime; see also Secrets and variables in the documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.