No statement is currently available from the vendor regarding this vulnerability.
Apache Flex BlazeDS version 4.7.3 addresses CVE-2017-5641 by restricting classes to only those whitelisted. Affected users are encouraged to upgrade. The XXE vulnerability (CVE-2015-3269) was previously addressed in version 4.7.1.
The demonstrated code would not be able to be able to cause any harm for the reason that calling setAutoCommit( true ) requires a connection object which is not even initialized at that time (see lines 4067-4087 at: http://www.docjar.com/html/api/com/sun/rowset/JdbcRowSetImpl.java.html). Additionally, in our implementation all com.sun.* and java.* classes are excluded from deserialization.
We are not aware of further vendor information regarding this vulnerability.