First, the good news: None of the 11 patches slated for Oracle databases fix vulnerabilities that are remotely exploitable. That is, attackers must be logged in to conduct an attack. Now the not-so-good news: Nine fixes for Oracle Application Server can be exploited by hackers who are not logged in. The same is true for a number of the updates on deck for Oracle WebLogic Server.
Oracle's Critical Patch Update (CPU) Pre-Release Announcement is available here. The Oracle quarterly patch cycle started about four years ago, as a way for Oracle to help lower the cost and aggravation associated with applying software patches.
While many of these vulnerabilities have been rated as critical, it's not likely that most organizations will rush to patch. Early this year database security vendor Sentrigo asked a few hundred Oracle database professionals if they have ever installed an Oracle CPU and 67.5% said they had never applied an Oracle CPU.