There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
react-native-swiper
glom
usb-hostcontroller
cachemanager
css-float
onpaint
daap
tags
smile
normalization
time-limiting
pepper
activeresource
maven-war-plugin
kotlin-logging
rust-iced
oracle-application-server
micronaut-kafka
kendo-scheduler
getdate
egl
jdk1.7
lumen-5.4
openpgp.js
django-postgresql
axes
monkeylearn
react-native-table-component
tensorboardx
mediaprojection
