Regarding log4j vulnerability

Logstash v2.17.1 is mitigate against CVE-2021-44832 from the 28th of December. I've asked about it here: Log4j CVE-2021-44832 (released 28th dec) - is ES vulnerable? but thus far no conclusive answer.

I don't know about Logstash, but I do know no update containing log4j 2.17.1 has been released yet for Elasticsearch (it would be released in 7.16.3, but the latest as of writing is 7.16.2).