Algernon Race Condition Vulnerability in Lua Handler Allows Denial-of-Service

A race condition vulnerability has been identified in Algernon versions prior to 1.17.6. The issue arises in the Lua handler, where the synchronization mutex is released before executing Lua function calls. This flaw creates a concurrency issue, as the Lua state is not safe for simultaneous operations, leading to corruption of the Lua virtual machine. The vulnerability can be reproduced under moderate load, causing a denial-of-service condition when using Lua with Algernon.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by corrupting the Lua virtual machine, disrupting normal operations of the web server.

Reproduction

The vulnerability can be reproduced by sending concurrent requests to the server using a tool like Apache Benchmark (ab). With the command 'ab -n 1000 -c 100', 1000 requests are sent with a concurrency level of 100, which triggers the race condition by overwhelming the server with simultaneous Lua function calls that interfere with each other.

Remediation

Users can update to Algernon version 1.17.6 or later, where this vulnerability has been fixed.