From the Red Hat CVE Database entry on CVE-2018-11776:
"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from
possible Remote Code Execution when using results with no namespace
and in same time, its upper action(s) have no or wildcard
namespace. Same possibility when using url tag which doesn't have
value and action set and in same time, its upper action(s) have no
or wildcard namespace."
Is CA Single Sign-On product vulnerable to CVE-2018-11776?
CA Single Sign-On is not vulnerable to CVE-2018-11776, as CA Single
Sign-On includes struts 1.x version
Red Hat CVE database: https://access.redhat.com/security/cve/cve-2018-11776