Mitigation for CVE-2023-2088 on OSP16 & OSP17

Issue

An unauthorized access to a volume could occur when an iSCSI using shared targets or an FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host.

This data leak can be triggered by two different situations as reported in CVE-2023-2088

Accidental case
If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the connection up properly. Instead of force-detaching the compute node device, Nova ignores the error, since the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance.

Intentional case
A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects.