From 3b3a92fa3e62e317cf3b5a66e692360dd1015e77 Mon Sep 17 00:00:00 2001
From: Shunping Huang <shunping@google.com>
Date: Thu, 16 Apr 2026 16:27:13 -0400
Subject: [PATCH] Fix CVE-2026-34477 (#38210)

---
 .../groovy/org/apache/beam/gradle/BeamModulePlugin.groovy   | 2 +-
 sdks/java/io/expansion-service/build.gradle                 | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
index 37783f135db7..dedeef40551f 100644
--- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
+++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy
@@ -628,7 +628,7 @@ class BeamModulePlugin implements Plugin<Project> {
     def jsr305_version = "3.0.2"
     def everit_json_version = "1.14.2"
     def kafka_version = "2.4.1"
-    def log4j2_version = "2.25.3"
+    def log4j2_version = "2.25.4"
     def nemo_version = "0.1"
     // [bomupgrader] determined by: io.grpc:grpc-netty, consistent with: google_cloud_platform_libraries_bom
     def netty_version = "4.1.124.Final"
diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle
index b12e48207265..1dc0b2f8c99b 100644
--- a/sdks/java/io/expansion-service/build.gradle
+++ b/sdks/java/io/expansion-service/build.gradle
@@ -91,6 +91,12 @@ dependencies {
 
   runtimeOnly library.java.kafka_clients
   runtimeOnly library.java.slf4j_jdk14
+
+  // Force log4j-core version in shadow jar to fix CVE-2026-34477 in the shaded jar
+  // `org.apache.beam:beam-sdks-java-io-expansion-service`
+  // Currently, it has a transitive dependency of `org.apache.iceberg:iceberg-aws-bundle:1.10.0`,
+  // which includes a vulnerable log4j-core (2.20.0).
+  runtimeOnly library.java.log4j2_core
 }
 
 task runExpansionService (type: JavaExec) {