The previous XXE fix that support was referring to as being fixed was DDIVRT-2015-55 SolarWinds Log and Event Manager Remote Command Execution - Digital Defense Inc. it may have been mistaken that when you reported the "Apache Flex BlazeDS XXE Injection" that it was the same one that was fixed instead of the new one that you reported. At the core that previous one was an XXE fix that was done and the one you are referring to is being looked into.
Noting also the other fix was referenced in SolarWinds Log & Event Manager 6.2.1 Release Notes
It looks there are two new vulnerabilities we found on LEM that support is looking into:
Java Deserialization Remote Code Execution
Apache Flex BlazeDS XXE Injection