JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers. (CVE-2017-5653)
Impact
There is no impact; F5 products are not affected by this vulnerability.