Several components are packaged to include the 3rd party Stax Jar (not directly - it's pulled in as a transitive dependency, typically). There is some question about this being OK - see https://issues.apache.org/jira/browse/LEGAL-42.
The resolution is to switch to an alternative impl, part of the Geronimo project. I'll update our POMs that are pulling in the Stax Jar to get the Geronimo one instead... -Marshall ( The [ never ending ] release work will end soon :-), he hopes... )