And boy are there a lot of them. The overall patch is listed as CRITICAL and from the details, I would strongly agree.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

They have updates for a large number of products. The "full table" link contains links to the update tables containing CVE#, the details of rhe CVSS scoring, protocol, component and version affected.

• Oracle Database:
  • 10 patch for Oracle Database, none of which are remotely exploitable without authentication
  • 9 patch for Secure Backup, all of the vulnerabilities are remotely exploitable without authentication
  • 1 patch for TimesTen Data Server which is remotely exploitable without authentication
  • Full table here
• Oracle Application Server:
  • 4 patches, of which 2 are remotely exploitable without authentication
  • Full table here
• Oracle Collaboration Suite
  • 1 patch which isn't remotely exploitable without authentication
  • Full table here
• Oracle E-Business Suite and applications
  • 4 patches none of which are remotely exploitable without authentication
  • Full table here
• Oracle Enterprise Manager
  • 1 patch which isn't remotely exploitable without authentication
  • Full table here
• Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
  •   6 patches none of which are remotely exploitable
  • Full table here
• BEA Product Suite
  • 5 patches all of which are remotely exploitable without authentication
  • Full table here