diff --git a/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java b/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
index da9e1926a5a..a842d42d25b 100644
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/Obj.java
@@ -465,6 +465,12 @@ final class Obj {
                     // Empty content
                     refAddrList[posn] = new StringRefAddr(type, null);
                 } else if (val.charAt(start) == separator) {
+                    // Check if deserialization of binary RefAddr is allowed from
+                    // 'javaReferenceAddress' LDAP attribute.
+                    if (!VersionHelper.isSerialDataAllowed()) {
+                        throw new NamingException("Object deserialization is not allowed");
+                    }
+
                     // Double separators indicate a non-StringRefAddr
                     // Content is a Base64-encoded serialized RefAddr
 
diff --git a/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java b/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
index edb43f73e8b..4d7ce28a841 100644
--- a/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
+++ b/src/java.naming/share/classes/com/sun/jndi/ldap/VersionHelper.java
@@ -82,7 +82,7 @@ public final class VersionHelper {
 
     /**
      * Returns true if deserialization of objects from 'javaSerializedData'
-     * LDAP attribute is allowed.
+     * and 'javaReferenceAddress' LDAP attributes is allowed.
      *
      * @return true if deserialization is allowed; false - otherwise
      */