There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
maxscript
xmldocument
ng-upgrade
jarjar
noindex
nehotspotconfiguration
pydicom
wstring
gnocchi
google-cloud-pubsublite
saxon-c
mat-input
angularjs-ng-transclude
scrollcontroller
exchange-basicauth
glyphrun
openmpi
mdptoolbox
seven-segment-display
sessionfactory
waitone
pdflib
page-fragments
jgraph
azure-blob-trigger
arworldmap
ucp
dynamodb-queries
postconstruct
torque
