The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
https://access.redhat.com/errata/RHSA-2017:0868
http://www.securitytracker.com/id/1037544
http://www.securityfocus.com/bid/97579
http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc