And still-more updated info, now finally the formal response from Adobe:

Adobe technote: Log4j vulnerability on ColdFusion

It covers what to do for now for CF2021, 2018, their related PMT and API Mgr counterparts, and indicates that an update for CF2021 and 2018 is due on Fri Dec 17. The technote also discusses briefly CF2016 (which by association would be inferred to apply to CF11 and earlier…though those on versions older than CF2018 should take this as their strong cue to get updated to a supported CF version.)

Following up on my previous comment, I have posted a blog entry here in the portal to point people also to the resources and options available for now.

Dealing with the recent log4j vulnerability, before Adobe releases an update

Follow the far more elaborated discussion here, which includes replies from Adobe and many others, since the day news of the vuln broke:

https://community.adobe.com/t5/coldfusion-discussions/zero-day-exploit-affecting-the-popular-apache-log4j-utility-cve-2021-44228/m-p/12588615

And when Adobe has a more formal response, we can expect it would be posted here on the portal.