Also in the latest bulletin it says you’ve added jvm flags wrt to the exploit but not a) whether we should use them or just apply the update and b) what the correct setting is.

In this release, we’ve addressed some security vulnerabilities and added the following jvm flags to that effect.

-Dcoldfusion.cfclient.enable=true/false

-Dcoldfusion.cfclient.allowNonCfc=true/false

Salted, when the update is installed, it disables cfclient. Those two JVM settings allow you to re-enable cfclient features. Per the update notes:

NEW JVM FLAGS
In this update, we've disabled cfclient by default. If you need to enable it, there is a new flag to do it.
-Dcoldfusion.cfclient.enable=true/false
Doing so will enable cfclient, but will allow only CFCs to be read. To allow other files to be read, use the flag listed below:
-Dcoldfusion.cfclient.allowNonCfc=true/false

Ah missed that bit thanks mark

"when the update is installed, it disables cfclient" -- sounds like an update y'all should have made years ago! 🤣 (sorry, couldn't resist)

ZING!