There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
angular-chart
cyclic-graph
xslt-1.0
customproperty
datastax-java-driver
django-fsm
cordic
akka-camel
amazon-connect
elapsedtime
ssis-2019
gettickcount
language-specifications
node-api
allure
dropwizard-guice
private-nuget-feed
pyimgui
html-components
apache-commons-net
rexray
xmeans
qplaintextedit
metatrader4
observedobject
fpdf
point-cloud-library
react-mapbox-gl
nvidia-docker
posts
