Adobe announced in October 2018 that they were aware of Oracle's changes to their licensing policies for Java. Since that point there has been a vacuum of updates from them. However, all is not lost!
ColdFusion has multiple versions currently supported, some Oracle Java SE JDK 6 through to 10. It is likely that the most popular JDK is Java SE 8.
Therefore you may be concerned as public updates to this have ceased - as they have for Java SE JDK 9 and 10. Without any recent announcements (as of 9th January 2019) from Adobe, what is a security conscious customer to do ?
Well they could worry about vulnerabilities found like disclosed in https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html or you could do the following:
Get on to Oracle Java SE JDK8 - if you are already on JDK 9 or 10, then this option may be hard to achieve, but not impossible
Install the latest Oracle Java SE update that is compatible with your version of ColdFusion. This can be done at https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Buy an Oracle Java SE subscription. This can be done by contacting us if you are in Australia, PNG, New Zealand, Fiji or the Oceania region. At ~AUD$500/year per production server (non-prod can be covered by an OTN license), then this is not a massive exposure assuming you only have a handful of production ColdFusion servers operating. Note that Oracle are planning at this stage to maintain updates to Java SE 8 until March 2022
Wait for Adobe to make an announcement regarding their Java strategy. It is likely that they will either declare that have purchased an ISV license for Java from Oracle and you can continue as-is (and cease your Java SE Subscription) or will adopt an OpenJDK build (like from AdoptOpenJDK.net) or move to a commercial offering like Azul Systems who build Java distributions for Microsoft amongst others and have a strong ISV program for their Java distributions.
Following this simple path will give you the certainty your corporate risk management needs. There is a bit of anxiety on corporate forums about this, and it is understandable. We just wanted you to know that there is a simple alternative and it won't cost you an arm and a leg.
See below for a link to our comprehensive post on the changes that are being made by Oracle to Java commercial arrangements.
Contact us if you would like to discuss this further at firstname.lastname@example.org