First, refresh all security info
subscription-manager refresh
yum clean all
yum repolist
yum updateinfo summary
yum updateinfo list security
yum updateinfo list available
yum updateinfo list bugzillas
yum updateinfo list security all
yum updateinfo list sec
Then you can apply only security updates
yum --security update
If you have the CVEs in a file
yum -y update `cat cves |while read c;do echo " --cve $c ";done|xargs`
reference: https://access.redhat.com/solutions/10021