Oracle has released the July 2016 Critical Patch Update, and it covers a record 274 security issues across pretty much every Oracle product. If you are an Oracle customer, you are almost certainly running a vulnerable product and should patch.
WebLogic and GlassFish feature prominently with four bugs with a CVSS 3.0 rating of 9.8. This is the scary type that can be remotely exploited without authentication, meaning that any user that can access your server can execute the exploit. Worse, all of them have low attack complexity, so you can expect bad guys to be able to use them.
In the category of products with these critical security issues, you also find a lot of Oracle's applications, including Hyperion, Oracle Agile, Oracle Communications, Oracle Health Sciences, and Oracle Retail.
Embarrassingly, the product "Oracle Secure Global Desktop" also contains one of these worst-case bugs...
It is interesting to see that JDeveloper also features on this quarter's list, though "only" with a seriousness score of 8.8. Apparently ADF Faces contains an easily exploitable vulnerability that allows a low privileged attacker with network access via HTTP to compromise Oracle and take over Oracle JDeveloper. So maybe that's why my JDev keeps crashing.
Oracle Application Express is not a fixture on this list the way Java is, but this quarter APEX does make an appearance with a couple of moderate severity issues. You should update your APEX to 5.0.4, which is the brand-new version released July 12th.