Technical information on why the Elastic community does not recommend directly replacing jars.
Apache v2 license applies to both Elastic versions mentioned and Log4j 2.17.1. Does Elastic community anticipate any license violations if we replace the log4j 2.x version with Log2.17.1 jar ( from Apache Downloads) on the Elastic stack components versions ( 5.2, 6.2.2 and OSS distribution of 7.10.2 ) after validating our use cases ?
It's not tested or supported and it's entirely possible that it just doesn't work. The announcement to which @leandrojmp linked contains advice and recommendations for what to do with older versions, although of course the primary recommendation is to address any blockers and upgrade to supported versions as a matter of urgency.
We can't offer legal advice. You will need to consult your own lawyer to answer this question.