There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
guidewire
sql-server-2016-express
parsedown
vapix
microsoft.aspnetcore.odata
ggez
assembly-resolution
resuming-training
multi-page-application
eclipse-kepler
aedes
datacolumn
cyclic
sonarqube-8.9
imglykit
broken-pipe
hibernate-search
bricscad
exception
oauth-2.1
google-play-billing
netlist
iris-recognition
webservices-client
social-auth-app-django
documentum-d2
java-client
fastly
libxml2
influxdb
