Does Log4J vulnerability still call for a JVM argument in CF2023?

My understanding is, "no". 

First, the issue is from Dec 2021 rather than "last year", which proves important as I will show. 🙂 

Second, that jvm arg was just the very first recommendation from Adobe that month, Dec 14 in fact. Then they came out with an update a week later, on Dec 21. And that was just the first of a couple which would evolve to address this and negate the need for the arg, by removing the affected log4j2 jars. 

Finally and most important, cf2023 came out in May 2023, and it had incorporated all the known updates regarding log4j by then.

More than that, it did NOT implement that jvm arg out of the box. (some may see it, but that would be because they imported settings from a prior cf release that had it). And FWIW there have been 12 updates to that since then, and none of them have implemented that arg for us. 

If it may help, here are resources from me and from Adobe, discussing the changes over time regarding the log4j issue as it evolved back then in late 2021/early 2022:

• https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/
• https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html

That's all in the rear view mirror for those on cf2023 and beyond.

Hope that suits in answer to your question. I'm open to corrections, of course.