I recently installed a fresh copy of Lucee and noted that it came with Tomcat 9.0.98 and Java 21.0.5, neither of which are affected. However, as BK_BK stated, there is a fix for other versions of Java.
Read Maintaining TomCat with Lucee to update Tomcat to 9.0.98 and if running Lucee 6.1.1.118, then you can also update Java to 21.
Note that if you saved trusted SSL certificates with Lucee, then in Lucee 6 the default truststore is now in Java rather than Lucee (see Secure LDAP docs does needs updating) and unless you set Lucee as the default truststore, you may have to re-trust certificates when updating Java, depending on your update method. Personally, I set the environment variable of lucee_use_lucee_SSL_TrustStore to a value of 1 and then use the Lucee truststore for SSL/TLS certificates, using the Lucee Admin GUI to install new certificates such as when trusting an LDAP server’s certificate. When updating Java, I just replace the whole contents of the ../lucee/jre folder with the Java update, without having to worry about re-trusting SSL certificates.