The jdk.localedata module is granted permission to read all system properties in lib/security/default.policy. However, from a scan of the code, it does not appear to read any system properties.

The permissions should be tightened to only grant reading of the specific properties it needs.