There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
google-experiments
angular4-aot
android-custom-view
tinybutstrong
placeautocompletefragment
symmetric
preg-replace-callback
iab
durandal-2.0
govmomi
parent-pom
debhelper
ora-00928
privacy
intellij-scala
max
apache-commons-dbcp
nslocalizedstring
sencha-touch
kong
ammonite
monit
continuous-forms
visitor-pattern
query-variables
megabyte
jbossfuse
jhipster
unbound
info-plist
