Done to 3.2.2 at revision:
It would be nice if we had more information about the exploit and how the upgrade might affect OFBiz users.
AFAIK, the upgrade should not affect OFBiz users in any ways.
Here are some information about the possible exploit:
https://issues.apache.org/jira/browse/COLLECTIONS-580 TL;DR: see the comment about COLLECTIONS-580 in http://commons.apache.org/proper/commons-collections/release_3_2_2.html
Maybe we should udate to 4.1 http://markmail.org/message/nh6csf4fun5n6e23 but that needs to be checked. I mean it's maybe not as easy as changing the lib and the 2 OOTB imports (from "org.apache.commons.collections to "org.apache.commons.collections4)...
Done at revision: 1717247 cf. OFBIZ-6748