Detect GitLab SSRF Exploitation (CVE-2021-22175) in Sumo Logic CSE
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=gitlab/access OR _sourceCategory=nginx/access OR _sourceCategory=web/proxy
| parse regex "(?<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) .* \"(?:GET|POST|PUT|PATCH) (?<uri_path>[^\s?]+)(?:\\?(?<uri_query>[^\s]*))? HTTP" nodrop
| parse regex "\"(?<status_code>\\d{3})\"" nodrop
| where uri_path matches "*/import*" or uri_path matches "*/hook*" or uri_path matches "*/webhook*" or uri_path matches "*/integrations*"
| urldecode(uri_query) as decoded_query
| where decoded_query matches "*169.254.169.254*" or decoded_query matches "*metadata.google.internal*" or decoded_query matches "*localhost*" or decoded_query matches "*127.0.0.1*" or decoded_query matches "*10.*" or decoded_query matches "*192.168.*" or decoded_query matches "*file://*" or decoded_query matches "*gopher://*"
| eval ssrf_type = if(decoded_query matches "*169.254*", "CLOUD_METADATA", if(decoded_query matches "*localhost*" or decoded_query matches "*127.0*", "LOOPBACK", "INTERNAL_NETWORK"))
| count by src_ip, uri_path, ssrf_type, status_code
| sort by _count descSumo Logic query parsing GitLab and web proxy access logs to identify SSRF exploitation attempts by detecting requests to GitLab import/webhook endpoints containing internal IP ranges or cloud metadata addresses in URL parameters.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled GitLab mirror sync jobs pulling from internally-hosted Git repositories
- Developer testing of webhook endpoints using private network addresses in non-production environments
- Automated security scanning tools configured to test SSRF protections
- Cloud-native GitLab deployments where instance metadata is legitimately accessed
Other platforms for CVE-2021-22175
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GitLab SSRF via Project Import URL - AWS Metadata
Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint
- Test 2GitLab SSRF via Webhook Creation - Internal Service Probe
Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body
- Test 3GitLab SSRF via Remote Mirror - Loopback File Access
Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL
Unlock Pro Content
Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.