It should be as ESX 4 is vulnerable as well, with the difference being there is a patch available for ESX 4. I think the recommendation would be to upgrade to atleast ver 4 and apply the patch.
Security advisory located at
I agree that upgrading is the way to go, as no patches will be published for version below ESX 4.0. I am still curious if versions 2 and 3 run the BASH shell.
All non-ESXi versions (1.×-4.×) have a RedHat based service console that has an old bash version installed.