Further update, please see Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 as it's been amended with details for each of the products and the impact that this RCE has.
TLDR - Elasticsearch is safe due to the use of the Java security manager.