...
This noncompliant code example consists of two classes: an immutable final ImmutablePoint class and a mutable Holder class. Holder is mutable because a new ImmutablePoint instance can be assigned to it using the setPoint() method (see CON09-J. Do not assume that classes having only immutable members are thread-safeSynchronize access to shared references). The ImmutablePoint is final so that an attacker may not subclass it and assign a mutable subclass to ipoint.
...
Thread-safe classes (which may not be strictly immutable), such as Container in this noncompliant code example, must declare fields as final or volatile, or synchronize all accesses of the field (see CON09-J. Do not assume that classes having only immutable members are thread-safeSynchronize access to shared references). In the absence of synchronization, non-final, non-volatile fields may be observed by other threads before the sub-objects' initialization has concluded.
...