There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
automatic-differentiation
android-menu
shiro
web-administration
dcom
hp-service-manager
memdb
airflow
grpc-kotlin
constraintlayout-helper-widget-flow
aabb
ip-restrictions
mongorestore
bsod
rowfilter
r-portfolioanalytics
transcoding
easytrieve
gobblin
dynamic-linking
mutual-information
nagle
bufferedinputstream
fog-google
max-heap
pyface
mongodb-queue
stateless-session-bean
nmi
datalistitem
