It was found that it is possible to connect to XML RPC OpenAPI on OA or BA application using the outdated security protocols TLS v1.1 and SSL v3.
A custom IQXMLRPC library is used to establish a connection to XMLRPCD for both OA and BA servers. A Feature Request PFR-1247 was submitted to the developers to replace this library with a standard one that supports more recent protocols.
As XML RPC has no browser components, an attacker does not have the possibility to influence client's traffic. Therefore the PUDDLE attack cannot be applied for XML RPC case.