There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
lexical-analysis
hibernate-batch-updates
androidplot
2phase-commit
rx-android
eigenvalue
tree-conflict
onblur
android-x86
wireframe
go-gorm
syncfusion-blazor
distributed-database
android-scrollbar
powerbi-datasource
switch-expression
computer-forensics
company-mode
gtextras
beginthreadex
solarwinds-orion
filesystems
achievements
savedstateviewmodelfactory
remote-connection
angular-dynamic-components
embedded-fonts
duende-identity-server
gitlab-ci-runner
non-member-functions
