Re: Perhaps someone familiar with Oracle products can tell me...
Yes to the majority of the affected products, and some of the exploits make it nearly impossible to know if the systems have been 'root kitted' without a full binary audit from a trusted source, or leaked information somewhere.
And whats worse, is the outages that will be impacted to business, services over the next few weeks / months / years to remediate the affected products with a new version of BASH.
Just to note the impact of ShellShock, From the Oracle security bulletin :
Solaris 8,9,10; BASH is not the root shell but is available to users,applications, etc for use. Any service running under BASH or cgi script may be exploitable. As a minimum, a service / application, etc restart would be required after the patches are applied / tested.
Solaris 11; BASH is the root shell and is also available to users, applications, etc for use. Any service running under BASH or cgi script may be exploitable. As a minimum, a system reboot would be required after the patches are applied / tested.
Oracle LINUX; same restrictions as RedHat, reboot, etc.
ILOMS & XSCF; Firmware upgrade, and hope not to loose the configs. Both have web interfaces.
Oracle VM 2.2, 3.2, 3.3; reboot of all your LDOMS after patches are applied / tested.
The CISCO rebadged fibre channel switches may need a reboot, outage affecting all connected fibre's / systems / etc.
Im surprised that they havn't listed Oracle Enterprise Manager as yet considering its 'heavy' web interface along with it's use of shell / java scripts.