The XStream team has released the 1.4.9 stable version in March 15, 2016
This version fixes the XML External Entity (XXE) Processing security issue
Since OFBiz uses the DomDriver, with Java 6 at least in supported releases, OFBiz seems not really vulnerable, but better to be safe than sorry, notably for not OOTB uses...
OWASP Dependency Check did not report this vulnerability. I will report to them.