There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
flurry
swiftyuserdefaults
reporting-services-2016
android-resource-qualifiers
domxpath
libc++
global-query-filter
call
generalized-linear-model
cp1250
bazel-rules-nodejs
testthat
android-paging
maven-invoker-plugin
logback-classic
gitlab-api
rfc1034identifier
header-files
getopt-long
nuget-package-restore
autograd
c++builder-xe3
nanopi
http-status-code-307
spring-jmx
application-xml
iasyncoperation
rayon
public-fields
kurento
