The default cloud-init configuration included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
A flaw was found in cloud-init. SSH host keys are not regenerated when new VM instances are created in combination with hashicorp packer and cloud-init. This could lead to the Man In The Middle (MITM) attack.
Created cloud-init tracking bugs for this issue:
Affects: epel-6 [bug 1598833]
Affects: fedora-all [bug 1598832]
Upstream commit now merged to master: