Is CVE-2016-1000027 mitigated in flowable

Hi there our build code is failing on this CVE issue check (CVE-2016-1000027 - Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue i - CVE-Search), but on further investigation, it seems like the issue is not fixed in spring framework, but it is left to the implementors to make sure that their code cannot be exploited.

Our general advice applies: Do not use Java serialization for external endpoints, in particular not for unauthorized ones. HTTP invoker is not a well-kept secret (or an “oversight”) but rather the typical case of how a Spring application would expose serialization endpoints to begin with… he has a point that we should make this case all across our documentation, including the javadoc. But I don’t really see a CVE case here, just a documentation improvement.
[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization - Research Advisory | Tenable®

So my question is, if the flowable code is vulnerable to this.
If this is not a problem, then we just place this issue in a whitelist in our build.