...
Replacing the function table gives the attacker access to the XPathContext. The XPathContext , which is used to set the reference node for evaluating XPath expressions. Manipulating it can allow XML fields to be modified in inconsistent ways, resulting in unexpected behavior. Also, because static variables are global across the Java Runtime Environment (JRE), they can be used as a covert communication channel between different application domains (for example, through code loaded by different class loaders).
...
Fields declared static final are also safe for multithreaded use; see guideline TSM03-J. Do not publish partially initialized objects. On a cautionary note, howeverHowever, remember that simply changing the modifier to final may not prevent attackers from indirectly retrieving an incorrect value from the static final variable before its initialization; see guideline MSC07-J. Eliminate class initialization cycles for more information. Further, individual members of the referenced object can also be changed if the object itself is mutable; see guideline OBJ01-J. Do not assume that declaring a reference to be final causes the referenced object to be immutable.
...