There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
onpaste
vimwiki
jaxb2-maven-plugin
property-based-testing
paging
cqlengine
benchmarkdotnet
ios-animations
tablemodel
jenkins-shared-libraries
halting-problem
qtooltip
mapjoin
proxy-authentication
unobtrusive-ajax
action
unicodescalar
watchr
matroska
atg-droplet
java-web-start
network-driver
bonjour
java-nio
ras
pytest-qt
send-on-behalf-of
ag-grid-angular
digraphs
mat-autocomplete
