There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
hp-ux
react-forms
spark2.4.4
cxml
multi-module
knyle-style-sheet
try-except
gradle-daemon
rapids
osc
avatar
png
cats-effect
animatedimagedrawable
deepfreeze
entitydatasource
kotlin-native
aegir
12factor
pykka
gadbannerview
appium-ios
foundationdb
sd-card
compositing
node-promisify
pixel
vesta
truestudio
multivariate-testing
