Security News > 2022 > November > Log4Shell-like code execution hole in popular Backstage dev tool

Log4Shell-like code execution hole in popular Backstage dev tool
2022-11-15 19:49

Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage.

Powered by a centralized software catalog, Backstage restores order to your microservices and infrastructure and enables your product teams to ship high-quality code quickly - without compromising autonomy.

Fortunately if we have interpreted Oxeye's writeup correctly, the attack they describe for their Backstage RCE depends on a sequence of coding flaws that ultimately depend on a specific bug, designated CVE-2022-36067 in a supply-chain component that Backstage relies on called vm2.

As far as we can see, if you're a Backstage user you will want to make sure that you have patched all at-risk components in your Backstage setup.

Oxeye researchers were able to pair their newly-discovered string templating code-triggering paths in Backstage + Scaffolder + Nunjucks with the older CVE-2022-36067 vulnerability in the vm2 security wrapper in order to achieve potential remote code execution on a Backstage server.

According to Oxeye, the relevant bugs in the Backstage code were patched by 01 September 2022, so that any official point release after that data should include the fixes.


News URL

https://nakedsecurity.sophos.com/2022/11/15/log4shell-like-code-execution-hole-in-popular-backstage-dev-tool/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-09-06 CVE-2022-36067 Improper Control of Dynamically-Managed Code Resources vulnerability in VM2 Project VM2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules.
network
low complexity
vm2-project CWE-913
critical
10.0