Addressing vulnerabilities in upstream apps

How does the RHSC package users address vulnerabilities found in bundled projects like php 7.2.10, that have been addressed upstream developers, say in 7.2.14 but have yet to be made available to enterprise users of RHSC? This has now come up a few times when we do releases, and we get the dreaded "no go", because a patch is not readily available . If we go out and deploy open source version available from the dev community, say php 7.2.14, will we still get support from REDHAT?