Vulnerabilities > CVE-2013-2160 - Resource Management Errors vulnerability in Apache CXF
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service. CVE-2013-2160. Dos exploits for multiple platform |
id | EDB-ID:26710 |
last seen | 2016-02-03 |
modified | 2013-07-09 |
published | 2013-07-09 |
reporter | SEC Consult |
source | https://www.exploit-db.com/download/26710/ |
title | Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2013-14106.NASL description Upgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-08-12 plugin id 69298 published 2013-08-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69298 title Fedora 19 : cxf-2.6.9-1.fc19 / jacorb-2.3.1-8.fc19 / wss4j-1.6.10-1.fc19 (2013-14106) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-14106. # include("compat.inc"); if (description) { script_id(69298); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-2160"); script_xref(name:"FEDORA", value:"2013-14106"); script_name(english:"Fedora 19 : cxf-2.6.9-1.fc19 / jacorb-2.3.1-8.fc19 / wss4j-1.6.10-1.fc19 (2013-14106)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Upgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113791.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3cf87d55" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113792.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e74effcb" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113793.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8c11c1ce" ); script_set_attribute( attribute:"solution", value:"Update the affected cxf, jacorb and / or wss4j packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jacorb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wss4j"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"cxf-2.6.9-1.fc19")) flag++; if (rpm_check(release:"FC19", reference:"jacorb-2.3.1-8.fc19")) flag++; if (rpm_check(release:"FC19", reference:"wss4j-1.6.10-1.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cxf / jacorb / wss4j"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2013-14159.NASL description Upgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-08-12 plugin id 69300 published 2013-08-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69300 title Fedora 18 : cxf-2.6.9-1.fc18 / jacorb-2.3.1-8.fc18 / wss4j-1.6.10-1.fc18 (2013-14159) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-14159. # include("compat.inc"); if (description) { script_id(69300); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-2160"); script_xref(name:"FEDORA", value:"2013-14159"); script_name(english:"Fedora 18 : cxf-2.6.9-1.fc18 / jacorb-2.3.1-8.fc18 / wss4j-1.6.10-1.fc18 (2013-14159)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Upgrade of CXF to 2.6.9, fixes CVE-2013-2160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113756.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?86049458" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113757.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?52eedd39" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113758.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b4b6a104" ); script_set_attribute( attribute:"solution", value:"Update the affected cxf, jacorb and / or wss4j packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jacorb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wss4j"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"cxf-2.6.9-1.fc18")) flag++; if (rpm_check(release:"FC18", reference:"jacorb-2.3.1-8.fc18")) flag++; if (rpm_check(release:"FC18", reference:"wss4j-1.6.10-1.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cxf / jacorb / wss4j"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1437.NASL description The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users last seen 2020-06-01 modified 2020-06-02 plugin id 72237 published 2014-01-31 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72237 title JBoss Portal 6.1.0 Update (RHSA-2013:1437) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72237); script_version("1.8"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id( "CVE-2012-4431", "CVE-2012-4529", "CVE-2012-4572", "CVE-2012-5575", "CVE-2013-1921", "CVE-2013-2067", "CVE-2013-2102", "CVE-2013-2160", "CVE-2013-2172", "CVE-2013-4112", "CVE-2013-4128", "CVE-2013-4213" ); script_bugtraq_id( 56814, 59799, 60040, 60043, 60045, 60846, 61030, 61179, 61739, 61742, 62256, 63196 ); script_xref(name:"RHSA", value:"2013:1437"); script_name(english:"JBoss Portal 6.1.0 Update (RHSA-2013:1437)"); script_summary(english:"Checks for the install versions of JBoss Portal"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing a security update."); script_set_attribute(attribute:"description", value: "The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users' sessions. (CVE-2012-4529) - A flaw that occurs when multiple applications use the same custom authorization module class name can allow a local attacker to deploy a malicious application that overrides the custom authorization modules provided by other applications. (CVE-2012-4572) - The framework does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting. This can allow remote attackers to force the system to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications. (CVE-2012-5575) - A flaw in PicketBox can allow local users to obtain the admin encryption key by reading the Vault data file. (CVE-2013-1921) - A session fixation flaw was found in the FormAuthenticator module. (CVE-2013-2067) - A flaw that occurs when a JGroups channel was started results in the JGroups diagnostics service being enabled by default with no authentication via IP multicast. A remote attacker can make use of this flaw to read diagnostics information. (CVE-2013-2102) - A flaw in the StAX parser implementation can allow remote attackers to cause a denial of service via crafted XML. (CVE-2013-2160) - A flaw in Apache Santuario XML Security can allow context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak algorithm. (CVE-2013-2172) - A flaw in JGroup's DiagnosticsHandler can allow remote attackers to obtain sensitive information and execute arbitrary code by re-using valid credentials. (CVE-2013-4112) - A flaw in the manner in which authenticated connections were cached on the server by remote-naming can allow remote attackers to hijack sessions by using a remoting client. (CVE-2013-4128) - A flaw in the manner in which connections for EJB invocations were cached on the server can allow remote attackers to hijack sessions by using an EJB client. (CVE-2013-4213)"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=868202"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=872059"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=880443"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=883636"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=929197"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=948106"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=961779"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=963984"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=983489"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=984795"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=985359"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=999263"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4431.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4529.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4572.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-5575.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-1921.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2067.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2102.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2160.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2172.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4112.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4128.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-4213.html"); script_set_attribute(attribute:"solution", value: "Upgrade the installed JBoss Portal 6.0.0 to 6.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_portal_platform:6.1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "jboss_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # We are only interested in Red Hat systems if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); info = ""; jboss = 0; installs = get_kb_list_or_exit("Host/JBoss/Portal Platform"); if(!isnull(installs)) jboss = 1; foreach install (make_list(installs)) { match = eregmatch(string:install, pattern:"([^:]+):(.*)"); if (!isnull(match)) { ver = match[1]; path = match[2]; if (ver =~ "^6.0.0([^0-9]|$)") { info += '\n' + ' Path : ' + path+ '\n'; info += ' Version : ' + ver + '\n'; } } } # Report what we found. if (info) { set_kb_item(name:"www/0/XSRF", value:TRUE); if (report_verbosity > 0) { if (max_index(split(info)) > 3) s = 's of JBoss Enterprise Portal Platform are'; else s = ' of JBoss Enterprise Portal Platform is'; report = '\n' + 'The following instance'+s+' out of date and\nshould be upgraded to 6.1.0 or later :\n' + info; security_hole(port:0, extra:report); } else security_hole(port:0); } else if ( (!info) && (jboss) ) { exit(0, "The JBoss Enterprise Portal Platform version installed is not affected."); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
data source | https://packetstormsecurity.com/files/download/122337/SA-20130709-0.txt |
id | PACKETSTORM:122337 |
last seen | 2016-12-05 |
published | 2013-07-09 |
reporter | A. Falkenberg |
source | https://packetstormsecurity.com/files/122337/Apache-CXF-2.5.10-2.6.7-2.7.4-Denial-Of-Service.html |
title | Apache CXF 2.5.10 / 2.6.7 / 2.7.4 Denial Of Service |
Redhat
advisories |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:80338 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-80338 title Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4 - Denial of Service bulletinFamily exploit description BUGTRAQ ID: 61030 CVE(CAN) ID: CVE-2013-2160 Apache CXF是一个开源服务框架,用于使用JAX-WS、JAX-RS等前端编程API编译和开发服务。 Apache CXF 2.5.10, 2.6.7, 2.7.4存在多个远程拒绝服务漏洞,流XML解析器没有限制元素数、属性数、接收文档嵌套结构等,攻击者利用这些漏洞可造成应用崩溃,导致拒绝服务。 0 Apache Group CXF <= 2.5.10 Apache Group CXF 2.7.4 Apache Group CXF 2.6.7 厂商补丁: Apache Group ------------ Apache Group已经为此发布了一个安全公告(CVE-2013-2160)以及相应补丁: CVE-2013-2160:Denial of Service Attacks on Apache CXF 链接:http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372 id SSV:60893 last seen 2017-11-19 modified 2013-07-11 published 2013-07-11 reporter Root source https://www.seebug.org/vuldb/ssvid-60893 title Apache CXF多个远程拒绝服务漏洞(CVE-2013-2160)
References
- http://jira.codehaus.org/browse/WSTX-287
- https://bugzilla.redhat.com/show_bug.cgi?id=929197
- https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc
- http://rhn.redhat.com/errata/RHSA-2013-1028.html
- http://jira.codehaus.org/browse/WSTX-285
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E