Well the KB doesnt mention anything about ESX 4, ESXi is mentioned as not being impacted
vSphere ESXi Hypervisor
ESXi 5.0 - 5.5 is not affected as it uses the ash shell (through busybox), which is not affected by the vulnerability reported for the bash shell.
still waiting on older versions ??
This vulnerability is reported to affect every version of Bash since its inception in 1989. Patching and upgrading systems should always be a regular and planned operation for reasons such as this. ESX 4.x might be affected as it uses Bash.
For those of you running VMware, they have posted a blog here, and an advisory here. As things stand if you’re running VMware tools on top of Windows, such as vCenter for example, then you are not vulnerable. Also ESXi is not vulnerable as it uses ash shell via BusyBox instead of Bash. However any virtual appliances may well be vulnerable, including the vCenter Server Appliance. I would recommend keeping and eye on VMware KB 2090740 for the latest updates.
ESX 4 is affected, we tested it yesterday. I raised a call with VMware today but as ESX 4 is End of Life, it does not seem they will be releasing a patch for it. Suggestion was that we upgrade to ESXi 5.0 or newer.
ESX and ESXi 4.x aren't supported anymore, so VMware will probably not list them in the KB article.
That said, ALL ESX (classic) versions are affected because they run a bash shell in the service console OS.
ALL ESXi versions are safe from this vulnerability because they run a busybox ash shell instead.
General support for 4.x ended 2014/05/21, see: https://www.vmware.com/files/pdf/support/Product-Lifecycle-Matrix.pdf
If you still have a valid SnS (aka support and subscription) contract after this date that means while you don't get support, you can upgrade your licenses to 5.x free of charge and automatically get support again once you've upgraded.
From the above mentioned KB..
Note: After careful consideration, VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash Shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. VMware is making this exception because of the reported critical severity of the Bash vulnerability and because the product passed the end of general support within the last four months. We encourage you to upgrade to our most current releases. The VMware Global Services teams are available to assist you in any way.