There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
nested-stack
submenu
multipass
application-restart
puppetlabs-apache
formal-semantics
lockless
plotkml
angular11
adafruit
kafka-python
resumable
php-ews
skype4py
sfml
dmcs
contrast
mnemonics
procmail
rvest
frisby.js
ruby-on-rails-4.1
commerce
pod-install
flutter-packages
pgx
ib-api
iot
angularjs-compile
xmlschema
