Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks.
This issue has been addressed in the following products:
Red Hat Data Grid
Via RHSA-2018:1833 https://access.redhat.com/errata/RHSA-2018:1833