There is no version of apache storm which doesn't use log4j 2.x version (which is affected by CVE-2021-44228 vulnerability). I found this fix on log4j website:y
scalameta
system-restore
word-web-addins
spark-webui
strongly-typed-enum
hmvc
gridviewcolumn
erlang-shell
npm-ci
ora-04091
datetime-comparison
android-sound
java-18
xerces-c
qtcharts
ml-studio
powermanager
gluonfx
openstack-keystone
arm64
ibm-ifs
tripledes
metatable
conversion-operator
odp.net
hxcpp
disable-caching
fortran-iso-c-binding
mouse-picking
android-theme
