There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
argumentnullexception
sql-job
apache-kafka-security
packages.json
mousedown
system.configuration
jcenter
2d
facebook-like
pyqgis
sealed-class
data-files
kura
android-widget
insomnia
static-methods
contrast
freemind
fclose
gocql
deeppavlov
dynamics-365-ce-onpremises
youtube-player-flutter
fiware-orion
zxing
c-api
yad
mariadb-10.5
fakexrmeasy
axe
