A flaw was found in cloud-init. SSH host keys are not regenerated when new VM instances are created in combination with hashicorp packer and cloud-init. This could lead to the Man In The Middle (MITM) attack.
Created cloud-init tracking bugs for this issue:
Affects: epel-6 [bug 1598833]
Affects: fedora-all [bug 1598832]
Upstream commit now merged to master: