We vendor a known vulnerable version of Guava. The specific vulnerability is low to no impact on Beam but it does potentially affect any server that uses Java serialization with Beam on the classpath. Do we have a reason for still being on Guava 20.0?
https://github.com/google/guava/wiki/CVE-2018-10237 Andrew