As the current log4j announcement doesn't specifically mention this CVE except in the context of Logstash, could anyone confirm whether or not Elasticsearch is vulnerable?
Actually it seems they updated the security announcement to explicitely cover this new vulnerability:
[Update 15 December] A further vulnerability (CVE-2021-45046) was disclosed on December 14th after it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Our guidance for Elasticsearch, APM Java Agent, and Logstash are unchanged by this new vulnerability.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.