diff --git a/build.gradle b/build.gradle
index a9becda6c..421eb2bdc 100644
--- a/build.gradle
+++ b/build.gradle
@@ -20,6 +20,9 @@ buildscript {
     // Lock buildscript dependencies.
     configurations.classpath {
       resolutionStrategy.activateDependencyLocking()
+
+      // See java_common.gradle for explanation.
+      exclude group: 'org.apache.logging.log4j'
     }
   }
 
diff --git a/gradle/dependency-locks/buildscript-classpath.lockfile b/gradle/dependency-locks/buildscript-classpath.lockfile
index f4301149d..273001cd9 100644
--- a/gradle/dependency-locks/buildscript-classpath.lockfile
+++ b/gradle/dependency-locks/buildscript-classpath.lockfile
@@ -40,8 +40,6 @@ org.apache.ant:ant-launcher:1.9.7
 org.apache.ant:ant:1.9.7
 org.apache.commons:commons-compress:1.20
 org.apache.commons:commons-lang3:3.8.1
-org.apache.logging.log4j:log4j-api:2.11.0
-org.apache.logging.log4j:log4j-core:2.11.0
 org.apache.maven:maven-artifact:3.6.2
 org.apache.maven:maven-builder-support:3.6.2
 org.apache.maven:maven-model-builder:3.6.2
diff --git a/java_common.gradle b/java_common.gradle
index ed7e4aa1e..5a3de130b 100644
--- a/java_common.gradle
+++ b/java_common.gradle
@@ -64,6 +64,8 @@ configurations {
     it.exclude group: 'org.mockito', module: 'mockito-core'
   }
   all.each {
+    // log4j has high-profile security vulnerabilities. It's a transitive dependency used by some
+    // Apache Beam packages. Excluding it does not impact our troubleshooting needs.
     it.exclude group: 'org.apache.logging.log4j'
   }
 }