Add CVE-2021-44228 mitigation for ES

[FlorianHockmann]

This only mitigates the CVE for ES included the pre-packaged distribution. Users who maintain their own ES (or Solr) installation, need to apply the mitigation there by themselves.

The mitigation is recommended in the summary provided by Elasticsearch:
https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Fixes #2891

---

Thank you for contributing to JanusGraph!

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

• Is there an issue associated with this PR? Is it referenced in the commit message?
• Does your PR body contain #xyz where xyz is the issue number you are trying to resolve?
• Has your PR been rebased against the latest commit within the target branch (typically master)?
• Is your initial contribution a single, squashed commit?

For code changes:

• Have you written and/or updated unit tests to verify your changes?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE.txt file, including the main LICENSE.txt file in the root of this repository?
• If applicable, have you updated the NOTICE.txt file, including the main NOTICE.txt file found in the root of this repository?

For documentation related changes:

• Have you ensured that format looks appropriate for the output in which it is rendered?

[farodin91]

LGTM! Thank you @FlorianHockmann.

[mbrukman]

LGTM and thank you for fixing this!

[FlorianHockmann]

I have to admit that I haven't tested the change yesterday when I created the PR as I was a bit in a hurry but wanted to get a PR ready for review with this fix.
So, I just built the full distribution locally from this branch and wanted to try out whether ES still starts and whether the property is actually applied, but the archive didn't even include an ES installation for some reason.
Then I noticed that we don't even have GH actions enabled for the v0.5 branch and travis-ci.org is already disabled. So, we currently don't have any CI for this branch. I am not sure whether we want to release something without having any CI builds for it. But I also don't know how much effort it would require to either also migrate the v0.5 to GH actions or to travis-ci.com, in addition to finding out why ES wasn't included in the distribution.

I am therefore personally leaning towards only releasing a fix for 0.6, given the effort required for the v0.5 branch and also the fact that this only affects users of the pre-packed distribution who really start JanusGraph Server, Cassandra, and ES with the bin/janusgraph.sh script.

What do others think about this?

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Florian Hockmann (16a7676)

[FlorianHockmann]

I changed the base branch to v0.6 and verified locally that bin/janusgraph.sh starts ES successfully and that the JVM option is actually used since ES logs its JVM options during startup.