Here is the response I sent to @nkarthik via our security@ address (just to close the loop for anyone paying attention).
Kibana does not use the bzip2 in any way. There is no way a remote attacker could exploit this vulnerability.
The container in question contains the package bzip2-libs which appears to be where the vulnerability in question is coming from.
I looked up Red Hat's response to this issue, they do not plan to fix it due to it having a low impact.
https://access.redhat.com/security/cve/cve-2019-12900
We follow Red Hat on these issues, if they do not update the package, there is nothing we can do in our containers as we are not operating system vendors.