diff --git a/CVE-2019-17570.patch b/CVE-2019-17570.patch
new file mode 100644
index 0000000..690147d
--- /dev/null
+++ b/CVE-2019-17570.patch
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 27 Jan 2020 19:40:57 +0100
+Subject: CVE-2019-17570
+
+Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
+---
+ .../apache/xmlrpc/parser/XmlRpcResponseParser.java | 28 ++++++++++++----------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+index 087572b..f1b2427 100644
+--- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
++++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java
+@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl {
+ 											getDocumentLocator());
+ 			}
+ 			errorMessage = (String) map.get("faultString");
+-            Object exception = map.get("faultCause");
+-            if (exception != null) {
+-                try {
+-                    byte[] bytes = (byte[]) exception;
+-                    ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+-                    ObjectInputStream ois = new ObjectInputStream(bais);
+-                    errorCause = (Throwable) ois.readObject();
+-                    ois.close();
+-                    bais.close();
+-                } catch (Throwable t) {
+-                    // Ignore me
+-                }
+-            }
++			if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) {
++				Object exception = map.get("faultCause");
++				if (exception != null) {
++					try {
++						byte[] bytes = (byte[]) exception;
++						ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
++						ObjectInputStream ois = new ObjectInputStream(bais);
++						errorCause = (Throwable) ois.readObject();
++						ois.close();
++						bais.close();
++					} catch (Throwable t) {
++						// Ignore me
++					}
++				}
++			}
+ 		}
+ 	}
+ 
diff --git a/xmlrpc.spec b/xmlrpc.spec
index c26b5b0..42ee76c 100644
--- a/xmlrpc.spec
+++ b/xmlrpc.spec
@@ -1,6 +1,6 @@
 Name:                xmlrpc
 Version:             3.1.3
-Release:             1
+Release:             2
 Epoch:               1
 Summary:             Java XML-RPC implementation
 License:             ASL 2.0
@@ -12,6 +12,7 @@ Patch2:              %{name}-javax-methods.patch
 Patch3:              %{name}-server-addosgimanifest.patch
 Patch4:              %{name}-disallow-deserialization-of-ex-serializable-tags.patch
 Patch5:              %{name}-disallow-loading-external-dtd.patch
+Patch6:              CVE-2019-17570.patch
 BuildRequires:       maven-local mvn(org.apache:apache:pom:)
 BuildRequires:       mvn(commons-httpclient:commons-httpclient) mvn(commons-logging:commons-logging)
 BuildRequires:       mvn(javax.servlet:servlet-api) mvn(org.apache.ws.commons.util:ws-commons-util)
@@ -63,6 +64,7 @@ Provides:            %{name}3-server = 3.1.3-13
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 sed -i 's/\r//' LICENSE.txt
 %pom_disable_module dist
 %pom_remove_dep jaxme:jaxmeapi common
@@ -87,5 +89,8 @@ sed -i 's/\r//' LICENSE.txt
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Fri Feb 25 2022 yaoxin <yaoxin30@huawei.com> - 3.1.3-2
+- Fix CVE-2019-17570
+
 * Wed Aug 12 2020 leiju <leiju4@huawei.com> - 3.1.3-1
 - Package init