What were you trying to do that didn't work?

Customer  applying the quarterly RHEL 8.10 OS patch (June 2025 cycle) on their TEST environment (Apache 2.4.37). After patching, they encountered the previously reported CVE-related vulnerability affecting SAP Application–EAI Gateway connectivity. The issue had been mitigated earlier (Aug 2024) by adding the UnsafeAllow3F flag to the RewriteRule. The same problem did not occur after the Feb 2025 patch but reappeared following the June 2025 patch.

What is the impact of this issue to you?

The security vulnerability reappearing after patching means they cannot proceed with OS patching in PROD without introducing the same risk.

• theycannot bypass the vulnerability on PROD without implementing a time-consuming manual configuration change for each affected URL.

• This may delay production patching schedule and potentially leave the system exposed.

• There is an urgent operational requirement to patch PROD while keeping SAP–EAI Gateway connectivity functional.

Please provide the package NVR for which the bug is seen:

httpd-2.4.37-65.module+el8.10.0+23042+b3baf0f4.4.x86_64

How reproducible is this bug?:

The bug is not easily reproducible because the quarterly OS patch can only be applied once per environment.

• The issue appeared immediately after applying the June 2025 patch on TEST.

• The patch cannot be reverted on TEST to re-run the scenario.

Actual Result

After OS patching Customer getting 403 Error with timeout.

Wed Jun 25 11:12:00.857412 2025] [rewrite:error] [pid 3362265:tid 

140317571405568] [client 115.110.104.174:29645] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
[Wed Jun 25 11:17:12.170895 2025] [proxy_http:error] [pid 4112:tid 140317235697408] (70007)The timeout specified has expired: [client 141.172.35.11:48850] AH01102: error reading status line from remote server igwtest.upm.com:1457
Expected results