This is the way the PCI-DSS industry works - trained monkeys run automated scanning software against applications then jump up and down if it turns red. Attempting to reason with the monkeys serves no useful function as they only understand red and green. Don't get me wrong - the guys who wrote the code in most of these tools are very smart - but they are not the people you have to deal with. And unfortnautely the monkeys have been given a lot of power. The existence of an issue does not mean that the issue is exploitable.
In fairness to the monkeys, NIST put the risk as 'high'. But I agree with Redhat - the only way this could be exploited is by someone with access to the php code or if you pass user supplied values direct to lowe level functions.
If I were in your shoes then the first thing I'd do would be to check if the code uses shared memory at all - and if not add the relevant function to the disable_functions settings in php.ini. While proving that the bug is not exploitable by an attacker with the function enabled and in use in the code is difficult, it's provable that the bug cannot be exploited if the function is not accessible. Whether that will pacify the monkeys is another story of course.