From c869ab78f45d5b86ea10bbac22c0a3f303ef7e3f Mon Sep 17 00:00:00 2001
From: Valentyn Tymofieiev <valentyn@google.com>
Date: Fri, 17 Apr 2026 17:02:17 -0700
Subject: [PATCH 1/2] Attempt to force a newer version of Jetty for sql
 expansion service jar.

---
 sdks/java/extensions/sql/expansion-service/build.gradle | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sdks/java/extensions/sql/expansion-service/build.gradle b/sdks/java/extensions/sql/expansion-service/build.gradle
index 562c1ac8dc76..f1ef8c1a7b5b 100644
--- a/sdks/java/extensions/sql/expansion-service/build.gradle
+++ b/sdks/java/extensions/sql/expansion-service/build.gradle
@@ -31,6 +31,15 @@ configurations.runtimeClasspath {
   // Pin avro to 1.11.4 due to https://github.com/apache/beam/issues/34968
   // cannot upgrade this to the latest version due to https://github.com/apache/beam/issues/34993
   resolutionStrategy.force 'org.apache.avro:avro:1.11.4'
+
+  // Force jetty-http to a newer version to remediate a vulnerability in Jetty 9.
+  // It is a transitive dependency of Hadoop.
+  // This may cause runtime errors if we trigger Hadoop codepaths where this dep is used.
+  resolutionStrategy.eachDependency { details ->
+    if (details.requested.group == 'org.eclipse.jetty' && details.requested.name == 'jetty-http') {
+      details.useVersion('12.0.12')
+    }
+  }
 }
 
 description = "Apache Beam :: SDKs :: Java :: SQL :: Expansion Service"

From f5d2ebf7f619bba1e624cbff85982caf3d9fa363 Mon Sep 17 00:00:00 2001
From: Valentyn Tymofieiev <valentyn@google.com>
Date: Fri, 17 Apr 2026 17:11:23 -0700
Subject: [PATCH 2/2] Also update beam expansion service

---
 sdks/java/io/expansion-service/build.gradle | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle
index 1dc0b2f8c99b..58748ed16d40 100644
--- a/sdks/java/io/expansion-service/build.gradle
+++ b/sdks/java/io/expansion-service/build.gradle
@@ -40,16 +40,14 @@ configurations.runtimeClasspath {
   // force parquet-avro:1.15.2 to fix CVE-2025-46762
   resolutionStrategy.force 'org.apache.parquet:parquet-avro:1.15.2'
 
-  // Pin Jetty version due to hadoop 3.4.1 using 9.4.53.v20231009, which had
-  // two direct vulnerabilities.  There is one dependency vulnerability left
-  // in 9.4.57.v20241919.  Higher major versions are not allowed due to
-  // incompability with hadoop 3.4.1.
+  // Force jetty-http to a newer version to remediate a vulnerability in Jetty 9.
+  // It is a transitive dependency of Hadoop.
+  // This may cause runtime errors if we trigger Hadoop codepaths where this dep is used.
   resolutionStrategy.eachDependency { details ->
-    if (details.requested.group.startsWith('org.eclipse.jetty')) {
-      details.useVersion('9.4.57.v20241219')
+    if (details.requested.group == 'org.eclipse.jetty' && details.requested.name == 'jetty-http') {
+      details.useVersion('12.0.12')
     }
   }
-
   // Pin logback to 1.5.27 to resolve CVE-2026-1225
   resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27"
   resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27"