Probably yes. So you need to make sure that your ISE gets patched as quickly as possible, once a patch is out. I do hope for a workaround alternatively. I can't tell you how bad this is, but I guess if you have the guest-portal active, that any person reaching this portal can take over the ISE (in the worst case). 

Fix for the Log4J vulnerability is now available for Version 2.4, 2.6, 2.7, 3.0. you can get by your CCO ID.

https://software.cisco.com/download/home/283801620/type/283802505/release/Log4j2-fix-2.4-3.0?catid=268438162

I see the patch for ISE 2.4 was released on 17th December.

But looking at the timeline in the advisory, log4j version 2.16 has since been disclosed as vulnerable on 18th December.

Anyone know if this means we are waiting for another patch to be released?

Hello,

I noticed this thread and wanted to provide additional details about the impact of the Log4j RCE (Log4Shell) Vulnerability in Cisco Identity Services Engine (ISE) and other Cisco products.

Cisco released hotfixes that address this vulnerability in December 2021. The hotfix completely removes the JndiLookup.class from the code. In addition, Log4j will be upgraded to 2.17.0 in the next release Cisco ISE software.

Refer to the following FAQ for additional information about the hotfixes and affected ISE versions:
https://www.cisco.com/c/dam/en/us/products/se/2021/12/Collateral/ise-log4j-faq.pdf 

The Cisco Event Response page includes additional frequently asked questions about the investigation of all Cisco products and services: https://tools.cisco.com/security/center/resources/prod_svc_info_log4j.html 

The Cisco Security Advisory includes the list of all Cisco products affected and is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd 

Hope this helps!