Can I simply replace log4j-core-2.x (e.g. 2.8.2) with 2.17.1 without breaking backward compatibility? In other words, is Log4j project following Semantic Versioning?

Log4J official changelog does not provide any clear statement on that. But this would be a dramatic simplification in the remediation process.

Bonus question: is this also true for log4j-api-2.x?

There has been some API breakage in log4j-core, so it is not strictly semantically versioned. The only one I am aware of is:

• The ConfigurationFactory#getConfiguration methods got an additional LoggerContext parameter (see LOG4J2-1547). This can prevent a Log4j upgrade in old Spring Boot 1.2.x versions (see this question).

However, this might be the only exception to semantic versioning, so you should upgrade the library and see if everything works.