CVE-2024-31446
📋 TL;DR
This vulnerability in OpenComputers allows any user who can execute Lua code on mod devices to cause a denial-of-service by getting a Computer thread stuck in the Lua VM, which eventually blocks the Server thread and requires a forced server shutdown. It affects Minecraft servers running vulnerable versions of the OpenComputers mod. The GregTech: New Horizons modpack is also affected but has its own patched version.
💻 Affected Systems
- OpenComputers Minecraft mod
- GregTech: New Horizons modpack
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server shutdown requiring manual intervention to restart, disrupting all players and potentially causing data loss or corruption.
Likely Case
Targeted denial-of-service against specific Minecraft servers running the mod, causing temporary disruption until server restart.
If Mitigated
No impact if patched versions are used or if LuaJ is configured instead of native Lua library.
🎯 Exploit Status
Exploitation requires ability to execute Lua code on OpenComputers devices, which typically requires some level of access/permissions within the Minecraft server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenComputers 1.8.4; GregTech: New Horizons 1.10.10-GTNH
Vendor Advisory: https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-54j4-xpgj-cq4g
Restart Required: Yes
Instructions:
1. Download OpenComputers 1.8.4 or later from official sources. 2. Replace the existing OpenComputers mod file in your Minecraft server's mods folder. 3. Restart the Minecraft server. For GregTech: New Horizons, update to version 1.10.10-GTNH or later.
🔧 Temporary Workarounds
Switch to LuaJ library
allConfigure OpenComputers to use LuaJ instead of native Lua library, as LuaJ appears unaffected by this vulnerability
Restrict Lua code execution
allLimit which users can execute Lua code on OpenComputers devices using server permissions/whitelisting
🧯 If You Can't Patch
- Monitor server logs for unusual Lua execution patterns or server thread blocking
- Implement regular server backups to minimize data loss from forced shutdowns
🔍 How to Verify
Check if Vulnerable:
Check OpenComputers mod version in server mods folder or via in-game /version command if availableCheck Version:
Check mod file name or properties in Minecraft server mods folderVerify Fix Applied:
Confirm OpenComputers version is 1.8.4 or higher, or GregTech: New Horizons is 1.10.10-GTNH or higher📡 Detection & Monitoring
Log Indicators:
- Server thread blocked warnings
- Unusual Lua execution patterns
- Forced server shutdown events
Network Indicators:
- Sudden server unavailability
- Connection timeouts to Minecraft server
SIEM Query:
Search for 'OpenComputers', 'Lua VM', 'server thread blocked', or forced shutdown events in server logs🔗 References
- https://github.com/MightyPirates/OpenComputers/commit/9d4f7ea297953c2fd8ccfd24fe549d5e9576400f
- https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-54j4-xpgj-cq4g
- https://github.com/MightyPirates/OpenComputers/commit/9d4f7ea297953c2fd8ccfd24fe549d5e9576400f
- https://github.com/MightyPirates/OpenComputers/security/advisories/GHSA-54j4-xpgj-cq4g
