 
                            Callers can trivially access and modify public non-final static fields. Neither accesses nor modifications can be checked by a SecurityManager, and newly set values can not be validated. Furthermore multiple threads can modify non-final public static data in ways that are not consistent.
Noncompliant code example
This is an example from the JDK 1.4.2 software.
package org.apache.xpath.compiler;
public class FunctionTable {
    public static FuncLoader m_functions;
}
An attacker can replace the function table as follows
FunctionTable.m_functions = <new_table>;
Replacing the function table gives the attacker access to the XPathContext used to evaluate XPath expression. Static variables are global across a Java runtime environment. They can be used as a communication channel between different application domains (e.g. by code loaded into different class loaders) .
There are a few ways this problem can be avoided.
Compliant Solution
Treat public static fields as constants and declare them as final. Consider the use of enum types.
package org.apache.xpath.compiler;
public class FunctionTable {
    public static final FuncLoader m_functions;
}
... public static final FuncLoader m_functions; ...
Additionally for mutable static state one can define assessor methods and add appropriate security checks.
public class MyClass {
    private static byte[] data;
    public static byte[] getData() {
        return data.clone();
    }
    public static void setData(byte[] b) {
        securityCheck();
       data = b.clone();
    }
}
Risk Assessment
Unauthorized modifications to public static variables can result in unexpected behavior and can bypass important security checks and/or invoke malicious code.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| OBJ31-J |  high  |  likely  |  low  | P9 | L2 | 
References
Avoiding Antipatterns Antipattern 5, Misusing Public Static Variables
Java Secure Coding Guidelines Section 3.1, Treat public static fields as constants
Function Table Field detail, public static FuncLoader m_functions