There are now manual steps for mitigating the vulnerability.

See https://confluence.atlassian.com/doc/confluence-security-adv...

It is strange that they didn't have mitigation steps earlier, but I'm guessing Atlassian announced this immediately since it was already being exploited.