There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
peano-numbers
django-hstore
jurassic
undici
jpa-annotations
assemblybinding
syntaxnet
paypal-buttons
emacs23
cartridge
dapptools
candidate-key
codesmith
update-all
threadx
qtif
file
cfwebsocket
pygobject
sarama
ibm-maximo-worker-insights
lineargradientbrush
sqloledb
sqlite-browser
groovydsl
react-native-progress-steps
msdtc
apache
automocking
terraform-provider-databricks
