I'm trying to get PCI compliant and the PCI scanning company is flagging our Ubuntu 12.04 PHP 5.3.10-1ubuntu3.9 for CVE-2013-1635. According to http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1635.html the Ubuntu response is "We do not support the user of open_basedir" and all version have been marked as ignored.
I'm at a loss for what to do here. I've pointed my scanning company to this same URL, but they don't accept that as and answer.
What should I do?
Update
I do not use this functionality and the open_basedir directive is disabled in php.ini. However, they do not consider this a proper solution.
Here is their response to their denial of my dispute:
We have denied this dispute based on the information provided regarding how this finding has been addressed. The version of PHP that is currently running on this system has been found to not properly sanitize user-supplied input. Despite the fact that 'open_basedir' is disabled on this system, an attacker can exploit this issue and write wsdl files within the context of the affected application. Also, it has been found that other attacks are also possible. As a result, the 'soap.wsdl_cache_dir' directive sets the directory name where the SOAP extension will place the cache files. Disabling 'open_basedir' has not 1) removed cache files that already exist and/or 2) ceased the possibility of new cache files from being placed into an arbitrary directory.
Please review https://www.pcisecuritystandards.org/security_standards/glossary.php#Compensating%20Controls for the definition of a compensating control. Among other things "Compensating controls must:…Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)", and disabling 'open_basedir' does not really go above and beyond, the underlying issue should really be addressed here. Again, the requirements as listed within the scan report are to upgrade the system or utilize the compensating controls mentioned (which, disabling open_basedir would not be sufficient in this case).
Any issues detected on a system that is in scope for PCI DSS compliance would need to have all PCI non-compliant issues remediated (which is any system involved in the storage, processing, and/or transmission of credit card holder data and any system directly connected to a network involved in such processes which does not have proper network segmentation in place).
Please review the scan report and follow the suggestions found underneath the “Remediation” column and then perform another scan when the vulnerability has been remediated to clear the finding from your next scan report.
If the vulnerability continues to be detected after this point and/or if you have already performed this then please feel free to re-dispute this vulnerability and explain what was performed to address the finding.