diff --git a/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
new file mode 100644
index 0000000..d11490e
--- /dev/null
+++ b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
@@ -0,0 +1,35 @@
+From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Fri, 18 May 2018 15:22:49 +0200
+Subject: [PATCH] Disallow deserialization of <ex:serializable> tags
+
+Can be reenabled by setting JVM property
+org.apache.xmlrpc.allowInsecureDeserialization to 1.
+
+- Resolves CVE-2016-5003
+---
+ .../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+index 18f25ac..c8bb7ed 100644
+--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
++++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
+  */
+ public class SerializableParser extends ByteArrayParser {
+ 	public Object getResult() throws XmlRpcException {
++                if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
++                    throw new UnsupportedOperationException(
++                            "Deserialization of ex:serializable objects is vulnerable to " +
++                            "remote execution attacks and is disabled by default. " +
++                            "If you are sure the source data is trusted, you can enable " +
++                            "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
++                            "JVM property to 1");
++                }
+ 		try {
+ 			byte[] res = (byte[]) super.getResult();
+ 			ByteArrayInputStream bais = new ByteArrayInputStream(res);
+-- 
+2.17.0
+
diff --git a/SPECS/xmlrpc.spec b/SPECS/xmlrpc.spec
index 385ba7c..bbb465f 100644
--- a/SPECS/xmlrpc.spec
+++ b/SPECS/xmlrpc.spec
@@ -1,6 +1,6 @@
 Name:       xmlrpc
 Version:    3.1.3
-Release:    8%{?dist}
+Release:    9%{?dist}
 Epoch:      1
 Summary:    Java XML-RPC implementation
 License:    ASL 2.0
@@ -10,6 +10,7 @@ Source0:    http://www.apache.org/dist/ws/xmlrpc/sources/apache-xmlrpc-%{version
 Patch0:     %{name}-client-addosgimanifest.patch
 Patch1:     %{name}-common-addosgimanifest.patch
 Patch2:     %{name}-javax-methods.patch
+Patch3:     %{name}-disallow-deserialization-of-ex-serializable-tags.patch
 
 BuildRequires:  maven-local
 BuildRequires:  maven-resources-plugin
@@ -77,6 +78,7 @@ popd
 pushd common
 %patch1 -b .sav
 popd
+%patch3 -p1
 
 sed -i 's/\r//' LICENSE.txt
 
@@ -111,6 +113,10 @@ sed -i 's/\r//' LICENSE.txt
 
 
 %changelog
+* Wed May 23 2018 Michael Simacek <msimacek@redhat.com> - 1:3.1.3-9
+- Disallow deserialization of <ex:serializable> tags by default
+- Resolves: CVE-2016-5003
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1:3.1.3-8
 - Mass rebuild 2013-12-27