I did some digging in and it appears that logstash plugins which depend on older version of logstash-core-plugin-api may also be affected, even when logstash is updated to include log4j v2.15.0.
It appears that logstash-core gem depends on an old vulnerable version of log4j as well - e.g. logstash-core | RubyGems.org | your community gem host.
Logstash plugins depend on logstash-core-plugin-api which depends on logstash-core so it's a transitive dependency of the plugin (and as such, gets pulled in when bundling all the dependencies for distribution). A lot of plugins bundle all the dependencies in the gems they push to RubyGems.
It appears that the latest version of logstash-core (logstash-core | RubyGems.org | your community gem host) doesn't specify log4j as a dependency anymore (how does that work now? does it just use log4j bundled with logstash core?).
Can someone please double check and confirm my thinking? Thanks.