Parity Logo

New Parity Ethereum update protects against RPC call vulnerability

Parity Technologies

Parity Technologies

Powering the decentralized Web @ Parity Technologies

August 28, 2019 in

1 min read

Yesterday afternoon we received a report from Scott Bigelow at Amberdata that a specially constructed RPC call may be able to crash Parity Ethereum nodes (any version) who have manually enabled public-facing RPC. For versions 2.5.6-stable and 2.6.1-beta and earlier, trace_call RPC can be executed remotely by a third party.

Who’s affected?

Nodes who have manually enabled public-facing RPC are affected. Furthermore, we suspect that nodes who have manually enabled tracing may also be vulnerable. This means that primarily only public infrastructure setups are exposed. Regular users who have not changed these node setting are not impacted.

Who’s not affected?

By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version.

Fix available—update ASAP

Releases 2.5.7-stable and 2.6.2-beta are now available and fix this issue. Download them here.

Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC. Nodes with `--auto-update=all` flag set will receive the updates automatically.

By default, Parity Ethereum only listens to local loopback IP addresses. As a rule, we recommend never exposing unfiltered RPC interface to the internet, as it’s not needed unless running an infrastructure service.

Bug bounty program

Thanks to Scott Bigelow for reporting. As always, we welcome and reward bug findings as per our bug bounty program.

Want to build the future of the web? We're hiring

More recent stories

Introducing Substrate Connect: Browser-Based Light Clients for Connecting to Substrate Chains

October 13, 2021

Introducing Substrate Connect: Browser-Based Light Clients for ...

Read More
Substrate Builders Program Milestone Update: October 2021

October 13, 2021

Substrate Builders Program Milestone Update: October 2021

Read More
Substrate Builders Program Milestone Update September 2021

September 08, 2021

Substrate Builders Program Milestone Update September 2021

Read More

Join the discussion: