When sending an XML Entity Expansion (XEE) payload to the XMLRPC based RPC2 interface. The duration of the DoS state depends on available memory and CPU speed. The default restricted mode of the RPC2 interface is NOT vulnerable.
OpenVPN Access Server before 2.7.0
OpenVPN Access Server 2.8.x before 2.8.3