There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
adt
collaborative-filtering
wxgrid
minimum-spanning-tree
androidpdfviewer
geolocation
cuba
css-color
ssh-keys
quadprog
notserializableexception
uidatepickermodetime
boost-build
ansi-to-html
pci-bus
v-for
buildsrc
eclipse-wtp
dependency-resolver
antlr4cs
reactql
uicollectionviewlayout
django-reversion
dataspell
greengrass
revokeobjecturl
busy-cursor
incompatibility
diffie-hellman
happy
