Roadie customers are not affected by Backstage’s RCE vulnerability

Published on November 23rd, 2022 by Jorge Lainfiesta
backstage-vulnerability@2x

Last week, the Oxeye research team published a report of a vulnerability found in Backstage that could allow a threat actor to execute remote code by exploiting an outdated vm2 third-party library. The Backstage team patched this issue on version 1.5.1 back on August 29th. Roadie customers are unaffected by this vulnerability because their instances are upgraded regularly (currently at v1.8) and due to extra security measures in the Scaffolder implemented in Roadie from the beginning.

The problem

The remote code execution (RCE) vulnerability was possible due to a known issue in the vm2 library used in the Scaffolder, which has been patched since Backstage 1.5.1. By overloading definitions through a software template, the researchers manage to create a function outside the Scaffolder’s sandbox context that allows them the execute arbitrary code in the instance.

Furthermore, the researchers pointed out that Backstage by default doesn’t provide authentication for backend requests. This allowed unauthenticated actors to access the Scaffolder, and therefore, exploit the vulnerability from outside the Developer Portal.

Roadie customers are not affected

Roadie customers were running on Backstage 1.8 at the time of the vulnerability disclosure and were patched for this vulnerability shortly after Backstage 1.5.1 was released because the team keeps a close eye on CVE notifications.

Furthermore, due to Roadie’s architecture, the risk from this vulnerability was greatly mitigated for Roadie customers. Roadie executes templates on a transient ECS task with access to scoped and temporary credentials required for the execution of the template instead of the default execution strategy.

Also, Roadie provides authenticated access to both frontend and backend requests, which means no unauthenticated actor could have accessed the Scaffolder in the first place.

Upgrade your instance ASAP

If you’re running a self-hosted Backstage instance and still use a pre-1.5 version, you’re facing a vulnerability with a 9.8 CVSS score, which is the most severe for exploitability and impact.

If you don’t want to bother to run upgrades again, switch over to Roadie! We’ll keep your instance safe through regular upgrades and extra security layers. Request a demo!

Become a Backstage expert

To get the latest news, deep dives into Backstage features, and a roundup of recent open-source action, sign up for Roadie's Backstage Weekly. See recent editions.

We will never sell or share your email address.