The spec for the new Cipher.update(ByteBuffer,ByteBuffer) and Cipher.doFinal(ByteBuffer,ByteBuffer) does not say what happens if the input and output ByteBuffer are the same object (as opposed two different objects referring to the same piece of memory).
The spec should be updated to state that this is not allowed and a IllegalArgumentException is thrown. If an application wants to do in-place encryption, it should use different ByteBuffer objects referring to that piece of memory (the output buffer could be obtained using byteBuffer.duplicate()).