There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
hadoop-yarn
cakephp-3.4
aviary
sockets
repeatable-read
system.net.sockets
fl-chart
labelme
spectrogram
disk-access
template-aliases
xcode10.3
tabbed
sequentialfeatureselector
perfect
int128
binomial-heap
specialized-annotation
hashicorp
filecontentresult
session-state
okhttp3
getmessage
reflection
lookbehind
pure-css
vim-mode-plus
grep
graylog3
pdf2json
