There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
propositional-calculus
network-state
writexl
hanami-api
ipcmain
laspy
publishing
angular-dart
blogger
aio
sizer
.a
android-architecture-components
adodbapi
pareto-chart
scoped-lock
nosuchelementexception
spanned
audio-aliasing
ndepend
gcp-stackdriver
index-buffer
uipickerview
koa.js
textformat
calibration
ilist
elapsed
purge
unnotificationserviceextension
