A vulnerability was found in the Azure plugin of cloud-init. The entire list of certificates and public keys exposed from the wireserver is added to the authorized_keys file for the user-to-be-provisioned, regardless of whether they belong to the user or not. Upstream commit: https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
External References: https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
Mitigation: See steps from https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
Created cloud-init tracking bugs for this issue: Affects: epel-6 [bug 1688367] Affects: fedora-all [bug 1688366]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0597 https://access.redhat.com/errata/RHSA-2019:0597