There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
tapkey
appsmith
xcode10.3
moniker
lifelines
file-saver
remove-if
directshow.net
databricks-connect
ballerina-swan-lake
javaparser
header-bidding
datetime-parsing
odoo-10
libvlcsharp
ibexpert
akka-actor
eclipse-oxygen
validity.js
patternsyntaxexception
regfreecom
.class-file
data-uri
client-side-validation
mutablemap
nav-pills
unsafemutablebufferpointer
php-ews
poodle-attack
tk
