...
This has been fixed in revision:
http://svn.apache.org/viewvc?rev=1338219&view=rev
All released versions of CXF are affected.
...
Users of CXF prior to 2.4.x should upgrade to either 2.4.8, 2.5.4, or 2.6.1.
CXF 2.4.5 to 2.4.7 users should upgrade to 2.4.8 as soon as possible.
CXF 2.5.1 to 2.5.3 users should upgrade to 2.5.4 as soon as possible.
CXF 2.6.0 users should upgrade to 2.6.1 as soon as possible.
References: http://cxf.apache.org/security-advisories.html
----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)
...