CVEs in NSM dependencies

[denis-tingaikin]

From Giang Tran

CVE-2022-28946: An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.
CVE-2022-33082: An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.
In NSC:
CVE-2022-27191: The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

We should check these CVEs in NSM deps.

[ThetaDR]

Checked the repositories for this vulnerabilities - the dependencies are either newer or we don't have them.

[denis-tingaikin]

Two new CVEs from customers:

1. CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF) kubernetes/kubernetes#112513
2. https://nvd.nist.gov/vuln/detail/CVE-2022-32149

[denis-tingaikin]

Fixed by networkservicemesh/sdk-k8s#405