Looking for Parity Ethereum client? Get it here.

New Parity Ethereum update protects against RPC call vulnerability

Image Parity Technologies
Powering the decentralised web
August 29, 2019 in Security, Releases, Parity Ethereum

Yesterday afternoon we received a report from Scott Bigelow at Amberdata that a specially constructed RPC call may be able to crash Parity Ethereum nodes (any version) who have manually enabled public-facing RPC. For versions 2.5.6-stable and 2.6.1-beta and earlier, trace_call RPC can be executed remotely by a third party.

Who’s affected?

Nodes who have manually enabled public-facing RPC are affected. Furthermore, we suspect that nodes who have manually enabled tracing may also be vulnerable. This means that primarily only public infrastructure setups are exposed. Regular users who have not changed these node setting are not impacted.

Who’s not affected?

By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version.

Fix available—update ASAP

Releases 2.5.7-stable and 2.6.2-beta are now available and fix this issue. Download them here.

Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC. Nodes with `--auto-update=all` flag set will receive the updates automatically.

By default, Parity Ethereum only listens to local loopback IP addresses. As a rule, we recommend never exposing unfiltered RPC interface to the internet, as it’s not needed unless running an infrastructure service.

Bug bounty program

Thanks to Scott Bigelow for reporting. As always, we welcome and reward bug findings as per our bug bounty program.

Want to build the future of the web? We're hiring

More recent stories

September 16, 2019

Preparing for Istanbul: New Parity Ethereum release

Read More
September 02, 2019

People of Parity: Shawn Tabrizi

Read More
August 09, 2019

New in Parity Signer v2.2 Beta: BIP-39, message signing, UX improvements

Read More

Join the discussion:

--}}