There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
isession
intermediate-code
lambda-calculus
directx-9
rename
unmanaged
react-native-elements
sharepoint-2016
darkaonlinel5-swagger
proc-r-package
image-thresholding
jlink
removeall
truncated
angular-controller
reindex
debian-stretch
keda-scaledjob
gd2
actionform
braille
tailwind-variants
timeunit
postgresql-extensions
mksh
installation-path
angularjs-ng-model
mediatemple
makensis
sparklines
