The main list of CVEs for Java can be found at CVE Details. Some have ended up under Oracle instead of Sun.
If you use Java on a server or on a mobile phone, there are different vulnerabilities. JBoss and Oracle Application Server are two of the most popular J2EE setups. Read more »