It seems that POI (the java library behind the CFML library) may not be affected by either CVE anyway as it only depends on the log4j-api jar, not the core jar. From the Apache Log4j security page:
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
But out of an abundance of caution it’s probably best to apply the update if you’re using v3.1.0 or v3.2.0. It’s on Forgebox as well as Github.