That's the advantage of using the bundled version: it's not a dependency that you need to track separately. It's just part of the product, similarly to Lucene and Log4J and Jackson and all the other libraries on which Elasticsearch depends. Elastic looks after the security side of things, so a vulnerability(*) in the bundled JDK would be reported as an Elastic Security Advisory.
(*) NB not all vulnerabilities reported in a dependency are vulnerabilities in the dependent product. For instance most Elasticsearch releases were not vulnerable to the famous Log4J bug reported in CVE-2021-44228. Similarly, there have been a number of Jackson vulnerabilities that did not affect Elasticsearch because Elasticsearch did not use the vulnerable features in the library.