I'm seeing on 7.15, logstash and elasticsearch both ship log4j in the vulnerable range, but in my case, I'm running a new enough java that it shouldn't be an issue.
As has been commented several times on other threads here on HN, a new enough Java only protects against one kind of exploit (directly loading arbitrary bytecode) but not others (serialization tricks to execute arbitrary function calls, or data exfiltration).
