Polkadot Decoded, the biggest Polkadot event of the year. May19th & 20th   👉  Register now

New Parity Ethereum update protects against RPC call vulnerability

Image Parity Technologies
Powering the decentralised web
August 29, 2019 in Security, Releases, Parity Ethereum

Yesterday afternoon we received a report from Scott Bigelow at Amberdata that a specially constructed RPC call may be able to crash Parity Ethereum nodes (any version) who have manually enabled public-facing RPC. For versions 2.5.6-stable and 2.6.1-beta and earlier, trace_call RPC can be executed remotely by a third party.

Who’s affected?

Nodes who have manually enabled public-facing RPC are affected. Furthermore, we suspect that nodes who have manually enabled tracing may also be vulnerable. This means that primarily only public infrastructure setups are exposed. Regular users who have not changed these node setting are not impacted.

Who’s not affected?

By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version.

Fix available—update ASAP

Releases 2.5.7-stable and 2.6.2-beta are now available and fix this issue. Download them here.

Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC. Nodes with `--auto-update=all` flag set will receive the updates automatically.

By default, Parity Ethereum only listens to local loopback IP addresses. As a rule, we recommend never exposing unfiltered RPC interface to the internet, as it’s not needed unless running an infrastructure service.

Bug bounty program

Thanks to Scott Bigelow for reporting. As always, we welcome and reward bug findings as per our bug bounty program.

Want to build the future of the web? We're hiring

More recent stories

April 21, 2021

Substrate Builders Program Update: Introducing the 'Builders for Builders' Initiative

Read More
March 09, 2021

“Statemint” Generic Assets Chain: Proposing a Common Good Parachain to Polkadot Governance

Read More
December 10, 2020

DeFi on Polkadot: An Ecosystem Overview

Read More

Join the discussion: