It was found that Apache CXF 2.0.x prior to 2.0.13, 2.1.x prior to 2.1.10, and 2.2.x prior to 2.2.9 did not properly constrain the use of DTDs in XML messages sent by clients. A remote attacker could use this flaw to perform XXE (XML eXternal Entity) attacks, allowing them to read arbitrary, local files accessible to the user running the application server, as well as to trigger HTTP requests to intranet URLs from the server. A remote attacker could also use this flaw to perform a denial of service attack by sending a crafted XML document containing a large number of nested entity references. These would be recursively expanded by the server, causing a denial of service by CPU and memory exhaustion.
Statement: Not Vulnerable. This issue does not affect the versions of Apache CXF as shipped with various Red Hat products.
References: http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf https://issues.apache.org/jira/browse/GERONIMO-5383